No JavaScript Needed For New Adobe Exploits

bl8n8r writes "More woes for Adobe as a security firm creates a proof-of-concept attack that injects malicious code as part of the update process. The user only needs to click a dialog box to execute the code and no JavaScript is needed to launch the exploit. The exploit affects Foxit as well as Adobe Acrobat software. This exploit is made possible through the host software allowing execution of system binaries. Not clear if it's multi-platform, but seems plausible."

Linux is vulnerable too

[sopssa]

Since it's part of the PDF specs, it should work in Linux too. What's even worse than with Windows is that since 'rm' is just a normal binary the PDF can launch that, and if you run as root privileges, just issue a command like "rm -rf /". If you don't run as root, then for example Ubuntu should give you the sudo box to input password to. This of course being just one of the examples it could do. Remember that most malware doesn't even need root access to function.

Another reason why it would be even more serious on Linux is the way you can pipe commands and how most systems come pre-packaged with a ton of little utility apps. You can create the whole malware with a series of commands, or wget a bash script from the internet and start that to hide even more malware in the system. Since most Linux systems dont even have the kind of application firewalls or antiviruses that Windows does, and because the Internet accessing is actually done via wget, they don't even get any kind of a "Give internet access to this application?" dialog.

It also doesn't help at all that most Linux users (especially those who are told so by the geeks!) believe that Linux cannot get malware. In my opinion this is a really stupid thing to do from those promoting Linux or Mac OS X as it will just lead to false sense of security.

Re:Linux is vulnerable too

[headkase]

Runs with the same privileges as the parent program. So it can kill my home folder, not "rm -rf /" And like every other security hole found so far it will be written out. Considering they all get written out the fair comparison would be comparing number and severity of vulnerabilities by platform. If it can't boot after a vulnerability is exploited or you can't remove it within 30 minutes then have it count doubly so.

Re:Linux is vulnerable too

[Monkeedude1212]

I was under the impression Most Linux users have also abandoned the PDF.

Re:Linux is vulnerable too

Unless somehow xpdf is "infected" with the stupidity that a PDF can execute other things, which I seriously doubt, I'm in no danger.

Re:Linux is vulnerable too

[caffeinemessiah]

Maybe you should actually, you know,...use Linux before you attempt to troll about security.

What's even worse than with Windows is that since 'rm' is just a normal binary the PDF can launch that, and if you run as root privileges, just issue a command like "rm -rf /". If you don't run as root, then for example Ubuntu should give you the sudo box to input password to. This of course being just one of the examples it could do. Remember that most malware doesn't even need root access to function.

Nobody uses the root account in Linux for everyday activity. In Ubuntu, root login is even disabled by default (you have to sudo). So no worries about the system in general. Although it's pretty devastating to issue a "rm -rf ~" to delete the user's home directory, it's on par with Windows. Then you say that most malware doesn't even need root access to function, but on all the millions of XP boxes out there, it's already given root access by default.

Another reason why it would be even more serious on Linux is the way you can pipe commands and how most systems come pre-packaged with a ton of little utility apps. You can create the whole malware with a series of commands, or wget a bash script from the internet and start that to hide even more malware in the system.

Windows has a pipe function too, in addition to being able to zoink your whole file system with a simple "del". It also comes with ftp and telnet, which are handy replacements for wget. In short telnet+response file = download an .exe from the web = any sort of functionality you might want using Unix command line tools.

Your comment, sir, is vapid.

Re:Linux is vulnerable too

[sopssa]

If it can't boot after a vulnerability is exploited or you can't remove it within 30 minutes then have it count doubly so.

The days when malwares purpose to trash the system to an unbootable state have been over for 15 years. Now a days you don't really even notice them being on your machine unless its one of those which show fake virus alerts. How would you notice if it just starts sending spam or sniffing your passwords?

Another point is that you can fairly easily hide in a Linux system. If you absolutely need root access, there have been serious privilege escalation exploits over the years. Most of the Linux systems aren't even necessarily being patched consistently. I've seen one of these privilege exploits used on many hosting companies that usually keep their systems up to date and secure too. That beside the point that it's not usual that you even need root access.

Re:Linux is vulnerable too

[Voulnet]

So it's about time Linux users get down to earth and learn "It's not the system, it's the user" the hard way?

Re:Linux is vulnerable too

[Lunix+Nutcase]

Except that it has been shown to not work on other PDF readers than Acrobat.

The exploit affects Foxit as well as Adobe Acrobat software.

Re:Linux is vulnerable too

[sopssa]

Except that it has been shown to not work on other PDF readers than Acrobat.

Did you even read the two-line summary?

The exploit affects Foxit as well as Adobe Acrobat software.

And that's the only software tested with. It's part of the PDF specs, so its likely other PDF readers are affected too.

Re:Linux is vulnerable too

[Voulnet]

No one is saying Linux is about as secure as XP, but the OP is saying that because of the spreading culture among many Linux users that there is no way they can get malware, this type of attack might easily fly under the radar. No need to compare to XP because we all know it's not a fair comparison!

Re:Linux is vulnerable too

[sopssa]

"del" is a Windows command, not an application. It doesn't work the same way.

Also I know that most Linux users don't run as root - but just like with Windows, some people do it for convenience. Yes, there really are such people.. even I don't always su out of root even if some command between what I'm doing doesn't require root.

Re:Linux is vulnerable too

Still trolling your pro-Microsoft tripe, eh sopssa? Grow up.

Re:Linux is vulnerable too

[headkase]

even I don't always su out of root even if some command between what I'm doing doesn't require root

So how does this Adobe flaw get access to your root terminal to continue issuing commands? And if you are running your desktop session as root you are an idiot. Ubuntu doesn't even have root it has sudo and if you want to enable the root account ("sudo passwd root") you have to go out of your way to make your system insecure. The fact is that unlike Windows Linux programs are written to not require root. If you get a escalation prompt anywhere you didn't ask for it then that is proof enough that something nefarious is at work. The system is only as secure as you but by default Linux is more secure than Windows. You are free to move about from there.

Re:Linux is vulnerable too

[Nick+Number]

In short telnet+response file = download an .exe from the web = any sort of functionality you might want using Unix command line tools.

This is a minor point, as there are plenty of other malicious things you can do with a command line, but the built-in Windows telnet client doesn't support response files.

Re:Linux is vulnerable too

Remember that most malware doesn't even need root access to function.

[citation needed]

Nice try TripMasterFucktard. The vast majority of currently circulating viruses/malware requires Administrator privileges. But hey, don't let facts get in the way of your psychotic Microsoft shilling.

Carry on fucktard.

Re:Linux is vulnerable too

Sorry, Linux has plenty of problems but sopssa doesn't know what he's talking about. His points about Windows are equally retarded, and it's clear that he doesn't know the first thing about security or how malware is written for either platform.

Re:Linux is vulnerable too

[gzipped_tar]

If Linux has made malware creation easier, it has also made defense against them easier too. For example, a simple SELinux policy change should nix this kind of exploit without forcing the PDF application to not follow the (shitty) standard and refuse to /launch things. Launch all you want, and just see them intercepted by SELinux mandatory access control.

Or if you're feeling geeky, do it in your sandbox. http://www.linux-magazine.com/Online/News/SELinux-Sandbox-for-Untrusted-Programs

Re:Linux is vulnerable too

[yossarianuk]

But it only effects the official Adobe browser which no one with half a brain would be using in the first place (as faster/ lower memory and secure apps are bundled with gnome/kde)

Re:Linux is vulnerable too

[sopssa]

I suspect it uses normal exec(), just like it works in every other program.

Almost any Windows program doesn't require root/admin now a days, and if they do, it's for a reason. You can't really compare to Windows 98 and the programs from that age. If we go that route, we might as well start digging the hundreds of privilege escalation and remote exploits that Linux in its history has had.

You also don't need to run the whole desktop as root. You can launch Firefox by typing "firefox" in terminal (either in text-mode terminal, or the terminals in X), if it just has a desktop to connect to. This is how you start applications to a remote X desktop like Xming too.

Re:Linux is vulnerable too

[EvanED]

"del" is a Windows command, not an application. It doesn't work the same way.

You can still run cmd /k "del /S /Q C:\".

Re:Linux is vulnerable too

[The+MAZZTer]

I'm not sure how he thinks rm is a normal binary but rmdir.exe isn't...

Re:Linux is vulnerable too

[munrom]

"del" is a Windows command, not an application. It doesn't work the same way.

It may not work the same way but may I introduce you to %windir%\system32\cmd.exe -C del /F /S /Q C:\*, it's just as deadly to a system.

Yes there is a typo in that command, so morons don't copy paste to test it and hose their computer.

Re:Linux is vulnerable too

[dAzED1]

there is absolutely, positively, no one that "do[es] it for convenience" with any distro released in the last bloody decade that has any statistically relevant user base. Every little tool along the way would complain about you being root, nagging you until the easiest thing to do is to just log in as a regular user.

Re:Linux is vulnerable too

[EvanED]

The vast majority of currently circulating viruses/malware requires Administrator privileges.

Only 'cause the malware is as poorly written as many applications, or it requires admin privileges to spread. If you remove the latter requirement (e.g. by exploiting holes in PDFs), then there's no reason that the malware would need admin rights.

Re:Linux is vulnerable too

[sopssa]

But SELinux is pain in the ass and generally disabled on every desktop oriented Linux distro like Ubuntu. I also doubt any casual users will go (or even know about) some SELinux policy change. Windows has the same kind of tools and settings available, so it all boils down to how knowledgeable the user is about security. The choice of OS can't really help much with that.

Re:Linux is vulnerable too

[gmuslera]

Usually you don't use those linux servers on hosting companies as desktops where you run acrobat reader. And desktops/notebooks/etc are usually more frequently updated (both as using new distributions or with patches available in the case you prefer to stick with a non latest version).

But anyway, you don't need root access to do most of what botnets/spambots do, with plain user access is bad enough. And targetted attacks could access most of what the user do without needing to go root neither.

Re:Linux is vulnerable too

[weicco]

As already said, malware doesn't need to run as root or Administrator.

But then it comes to sudo prompt / UAC. How are you going to educate old granny not to enter root/admin password when OS asks for it unless there a valid need for it? Heck, I've playing and working with computers (C64, C128, Amiga, PC Windows/Linux/BSD, Sparc/Solaris etc. etc.) for 25 years now and even I can't always tell when UAC (yes, I'm using Vista currently) prompt is valid or not! Just yesterday some Java-piece-of-crap asked for admin privileges all the sudden and I said heck no. My dad for instance would have entered the password without even thinking about it. My wife too but I haven't told her the password, which brings some social issues to the picture also...

"by default Linux is more secure than Windows" - Oh, for heaven's sake. Linux is by default more secure so we don't need to worry about this Adobe exploit? I would worry about it even if I were using OpenBSD!

Re:Linux is vulnerable too

[headkase]

The fact remains and is insoluble right now that Windows allows root access more easily than Linux. You have to go out of your way to be root on Linux, XP (a very common operating system still in use) gives you root as a matter of course. And you can compare XP and Linux because both are commonly used right now. Vista will elevate on a whim and I'm sure 7 would too, at least with Linux when something tries to elevate you wonder why where with Windows you'd be right the majority of the time just assuming it was written for XP (if you're even not root) and allowing it blindly.

Re:Linux is vulnerable too

Also I know that most Linux users don't run as root - but just like with Windows, some people do it for convenience. Yes, there really are such people...

So, every Linux user except for a handful of idiots doesn't run as root. The vast majority of Windows users run as root. Ah, yes, I see what you meant when you said it's "just like Windows".

For the oblligatory car analogy, every car ever made is as dangerous as the Ford Pinto, when you put a few hundred pounds of explosives in the trunk. Yes, there really are people who do that...

Re:Linux is vulnerable too

[gzipped_tar]

> so it all boils down to how knowledgeable the user is about security

But you're the one who brought up this "Linux makes creating malware handier and stealthier" argument, and you're now resorting to the same old, tiring "user incompetence" excuse?

And did you just pulled that argument from your ass, or have you actually worked on malware on Linux, Windows and Mac OS X and compared them before making that post?

And yes, some people are creating a false sense of security around Linux. But aren't you creating a false sense of threat as well?

It is not Linux that has made malware more threatening. Incompetent design (like this) and poor programming practice make has made malware possible, on all platforms, and now the popularity (or rather, low cost) of incompetent design and poor programming is making it rampant.

But next perhaps someone will tell me that Linux is doomed because most distros ship gcc and gdb by default and they're used to create malware.

Re:Linux is vulnerable too

[Volante3192]

They do? Then why is it I have to regularly cleanup malware on user accounts that are not running as admin?

(Fortunatly, the cleanup is nice: log in under another restricted user account, elevate, copy over their docs and desktop, then blow out their profile folder entire. It's beautiful.)

Re:Linux is vulnerable too

[LordLimecat]

You have to go out of your way to be root on Vista and 7, so Im not sure what your point is.

Re:Linux is vulnerable too

[LordLimecat]

It also affects PDF X-change, tho with a prompt

Re:Linux is vulnerable too

[0123456]

But SELinux is pain in the ass and generally disabled on every desktop oriented Linux distro like Ubuntu..

SELinux works fine in Redhat, at least to the extent that I've used it.

However, Ubuntu has Apparmor instead, and I believe they use it to wrap the PDF viewers by default. So even if this exploit works with some Linux PDF viewer it will probably not be allowed to execute arbitrary application files or modify arbitrary disk files on Ubuntu... making it far less effective.

Re:Linux is vulnerable too

[Anonymusing]

I really don't care about the rest of your comment (one way or t'other), but "Your comment, sir, is vapid" ought to earn you a few thousand mod-ups. Thank you.

Re:Linux is vulnerable too

[shutdown+-p+now]

"del" is a Windows command, not an application. It doesn't work the same way.

Do you mean "cmd.exe command"? It's true, but what does it matter, if you can just do "cmd.exe /c del /s /q c:\*.*", and get the same effect?

Re:Linux is vulnerable too

[shutdown+-p+now]

Since it's part of the PDF specs, it should work in Linux too. What's even worse than with Windows is that since 'rm' is just a normal binary the PDF can launch that, and if you run as root privileges, just issue a command like "rm -rf /".

In Windows, the PDF can launch cmd.exe, passing it the commands to execute as parameters (with /c), so nothing changes.

... if you run as root privileges, just issue a command like "rm -rf /". If you don't run as root, then for example Ubuntu should give you the sudo box to input password to.

Have you ever actually used Ubuntu?

No, you won't get a sudo box if you run "rm -rf /" on an account which doesn't have permission. You'll get "permission denied", exactly the same as if you'd try "rmdir /s C:\Windows" from non-admin in Windows.

There's no auto-elevation, neither in Windows nor in Unix. The program has to be explicitly coded to request the OS service (UAC or gksudo) to pop up the confirmation dialog, when it believes that it needs it. Command-line tools, obviously, don't do that.

Another reason why it would be even more serious on Linux is the way you can pipe commands and how most systems come pre-packaged with a ton of little utility apps. You can create the whole malware with a series of commands, or wget a bash script from the internet and start that to hide even more malware in the system.

Well, Windows 7 comes with PowerShell out of the box, which allows for a single command line that runs a script that has full access to all .NET Framework classes. This means things such as System.Net namespace, and specifically WebRequest class to download stuff over HTTP & FTP, and SmtpClient class to conveniently send mail.

It really is a pointless distinction. The moment you can run an arbitrary command line using an exploit is the moment you can completely pwn the epxloited system, on practically any OS.

Re:Linux is vulnerable too

[shutdown+-p+now]

Nobody uses the root account in Linux for everyday activity. In Ubuntu, root login is even disabled by default (you have to sudo). So no worries about the system in general.

There is actually one way in which this can potentially be more harmful in Linux than in Windows, although GP missed that one (for all the invented stuff that he came up with). The problem is that sudo caches your credentials for a certain period of time (5 minutes by default, IIRC) after you use it for a given user account. So, if you use sudo to run something that needs it, and then exit that application, and then some malware does exec sudo shortly after, it will quietly get root.

You can disable this by setting the timeout to 0, of course, it's just that the default setting is not quite secure. Of course, this is pretty hard to exploit deliberately, so it's more a matter of luck (opening a PDF with exploit at the wrong moment). Windows UAC doesn't have this problem, as it doesn't have any caching - it will always pop up the elevation prompt.

The reason for this, so far as I know, is because sudo has to ask you for the password whenever elevation is needed, and it was considered to be a severe inconvenience to have to input it every time when running a series of commands that need elevation - supposedly, the user already communicates the intent to elevate clearly by typing "sudo".

Windows, on the other hand, has a special group for people who can elevate without typing a password (which is where the default user account in a newly installed system put), though it still requires user interaction (clicking "Yes, I do want to elevate" in a dialog), so that malware cannot quietly elevate behind user's back - so there's no inconvenience associated with retyping the password there, and the timeout isn't needed.

I'm actually wondering why Linux (at least user-friendly distros, such as Ubuntu) doesn't adopt the Windows UAC approach - it seems to be more straightforward to me, and not any less secure (maybe even more so, since it disposes with sudo caching).

Re:Linux is vulnerable too

[nuckfuts]

Windows... comes with ftp and telnet...

Telnet is not available by default in Windows Vista and Windows 7, but can be enabled via "Control Panel" > "Programs and Features" > "Turn Windows features on or off".

Re:Linux is vulnerable too

[robmv]

It is easy to get access to root even when you have only access to an unprivileged user, change the user PATH in .bash_profile (for example), put a wrapper sudo or su to one of the directories added to the PATH, then you will get access to the root password or access to sudo if you fake it enough so the user believe you are using the real one. Only if Home directories where mounted noexec by default this could not work. I remember how people got users password on my college says just running a fake login prompt on the laboratory terminals

Re:Linux is vulnerable too

In Ubuntu, root login is even disabled by default (you have to sudo).

The difference between root login and a non carefully restricted sudo setup (which is the default on Ubuntu installs), is virtually meaningless.

Re:Linux is vulnerable too

[Threni]

People thinking Linux is secure doesn't make it more prone to malware. Computer programs don't care what you think about them, or other programs.

Re:Linux is vulnerable too

[icebraining]

The way I've seen to download files was to use tftp.exe.

Re:Linux is vulnerable too

[jank1887]

just curious, what version of PDF did this become default behavior? Sounds like it's time to roll PDF back a few versions. I can live without active PDF content and fillable forms that remember my previous text input.

Re:Linux is vulnerable too

[Kitkoan]

Linux may be vulnerable too, if your running the Linux version of Adobe Reader which you would have to go out and get on your own. Every version of Linux I have tried has an open source PDF reader that isn't Adobe's. As for the Firefox exploit, FTA it states that the Firefox must be running the addon Foxit and I'm not sure how common that is.

Though I highly agree with you that Linux users shouldn't believe that Linux can't get malware. It's more unlikely of the 3 major OS's (Windows, OSX, Linux), but that doesn't make it impossible.

Re:Linux is vulnerable too

[randallman]

Since most Linux systems dont even have the kind of application firewalls or antiviruses that Windows does, and because the Internet accessing is actually done via wget, they don't even get any kind of a "Give internet access to this application?" dialog.

These things slow your computer down and make using applications annoying. They exist on Windows because of the massive problem of malware on Windows. They do not exist on Linux because in general, malware on Linux is not a problem. You can speculate as to why, but that's the way it is. Where real problems exist with Linux, like rootkits, solutions exist (e.g. chkrootkit). If viruses and such get to be a problem, solutions will appear. At the moment virus scanners and outgoing firewall prompts are not needed on Desktop Linux and are a hindrance to usable computing. I think your post is FUD.

Re:Linux is vulnerable too

[h4rr4r]

If you run a pdf reader app as root you deserve what you get.

Re:Linux is vulnerable too

[reub2000]

What? I frequently convert openoffice and latex files to pdf on linux.

Re:Linux is vulnerable too

[idontgno]

Of course programs care what you think of them. (Or stepping away from gratuitous and confusing anthropomorphizing, the authors of such software care.)

Trojans and other automated social engineering depend on projecting trustworthiness; i.e., that the user thinks the software is both reliable and desirable. If user perceptions of software didn't matter, malware wouldn't try to trick users. They'd just say "click here to get pwned".

Until Chuck Norris manifests himself as malware, what users think of software will continue to directly influence its effectiveness.

Re:Linux is vulnerable too

[thuerrsch]

Well said. Also don't forget that Evince, the default pdf viewer in Gnome and in Ubuntu, is immune to this exploit, as confirmed by several comments on Didier Stevens' original announcement.

So here we have another good reason not to use Acrobat Reader on Linux (or on anything else, for that matter), but also not to trust closed-source alternatives like FoxIt. Evince is fast, efficient, easy to use, has all the necessary features, nothing more, nothing less. And hey, there's even a Windows version!

Re:Linux is vulnerable too

[randallman]

Virus scanners and outgoing firewalls are a crummy way to handle these threats. Linux handles them in a better way

Re:Linux is vulnerable too

[afidel]

tftp is non-routed so that won't do you much good for getting malware on a machine.

Re:Linux is vulnerable too

it can kill my home folder, not "rm -rf /"

Is this your way of implying it's not a real problem on linux? If so you could hardly be more wrong. Who cares if the OS / program files get deleted? All that stuff is on about seventy squillion ftp sites. My own data, that, evem if I have backup processes more rigorous than 95% of the population, is bound to have a few little bits and bobs that aren't backed up yet, and is irreplacable? Big problem.

Re:Linux is vulnerable too

[Culture20]

Nobody uses the root account in Linux for everyday activity. In Ubuntu, root login is even disabled by default (you have to sudo).

And since sudo usually caches creds, you might still be vulnerable; or you will be when the sleep-loop malware script sees a sudo in ps and sudos right in itself.

Re:Linux is vulnerable too

Evince is fast, efficient, easy to use, has all the necessary features

Except the ability to scale down images using a not completely naive algorithm, or developers who would be able to fix an issue like this within a timeframe of four years.
(http://bugs.freedesktop.org/show_bug.cgi?id=5589)

Re:Linux is vulnerable too

[nobodie]

Sorry, but i agree. As ubuntu becomes ubiquitous it will become a target, as well as catching stray bullets from app malwares like this one. I hated the constant fuss with windows insecurity, one reason i left it (but not the main one) but i still carry that paranoia with me. Yes I have a firewalled router, file server and home network. Yes, i do run antivirus weekly and have never found a virus except in my virtualbox copy of windows. still, i know that there are sick puppies in the world and i backup weekly in two externals because bad shit does happen, frequently and most often when you least expect and can least afford it.

Re:Linux is vulnerable too

[tokul]

If you don't run as root, then for example Ubuntu should give you the sudo box to input password to.

No, it does not. sudo box does not pop out every time you run command. It pops out when you call command with graphical sudo wrapper.

Closing the vulnerability door - the easy way

[Drakkenmensch]

Is it any wonder that I uninstalled adobe reader entirely? Reading a lone pdf once in a while isn't worth having a massive security flaw exploitable with a no-click hacking trick.

Re:Closing the vulnerability door - the easy way

[commodore64_love]

>>>Reading a lone pdf once in a while isn't worth having a massive security flaw

If only that were true. I encounter a PDF at least once a day. Just an hour ago I was reading a PDF about my college homecoming. If it had been possible to get the information some other way, I would have, but they only provided the giant poster in PDF form. - And earlier this morning I encountered a PDF while looking for Lubuntu (lean ubuntu) information.

So uninstalling a PDF Reader isn't really practical.

Re:Closing the vulnerability door - the easy way

Feed it through GMail and it will give you an HTML version. Email it to yourself if you need too.

Not handy, and I don't even do it myself, but it is an option.

Re:Closing the vulnerability door - the easy way

[icebraining]

Why? Just disable the PDF reader plugin, and download & open the files you actually need and trust. Or just install NoScript, which will disable *all* plugin until you explicitly click the frame to activate them.

NoScript 3

Re:Closing the vulnerability door - the easy way

For the once a day viewing of web-based pdfs try Google Docs Viewer, which displays in-browser as html.
The features are very limited, and it can be slow with some documents, but it's likely to be much safer.

There's a firefox extension of the same name which looks to put it as a right-click option, and gPDF which claims to automatically point all links at gdv. -Haven't tried either.

Don't know if there's a good way to use it for local files (or from non-web email)?

Solution

[abigsmurf]

Have the dialogue control specify that you are potentially allowing the PDF to alter other documents (maliciously or otherwise).

It's not exactly the first time a method of using social engineering to trick people has been part of a standard. Altering the status bar in JavaScript in order to aid phishing attacks was one.

Re:Solution

He says that he can control what the popup dialog displays.

Re:Solution

[Yvanhoe]

The attack requires the user of the computer to allow the code to be executed by agreeing to it via a dialog box. However, the attacker could at least partially control the content of the dialog box that appears to prompt the user to launch the executable and thus use social engineering to entice the computer user to agree to execute the malware, said Conway.

Solution : stop accepting that documents should execute binaries in order to display properly.

Re:Solution

[abigsmurf]

Which is why you ensure programs display a fixed message for (or in addition to) these dialogs so it's impossible to mislead the user.

Re:Solution

It's just PDF 2.0... You can't have 2.0 without executable code. If it doesn't move, it's so pre 2.0.

Re:Solution

[robot256]

It's just PDF 2.0... You can't have 2.0 without executable code. If it doesn't move, it's so pre 2.0.

So, is this no longer a problem in France?

Dupe Dupe

[Nerdfest]

I believe this exploit has already been patched in FoxIT, assuming this is the same exploit descibed here on SlashDot 2 weeks ago. Strangely, I haven't seen an update from Adobe ...

Re:Dupe Dupe

[sopssa]

Yes, Foxit patched it last week. It uses the same technique so the Foxit patch should work, but this new "exploit" just takes it a bit further in that the malware can be embedded in the PDF file.

Re:Dupe Dupe

[lahvak]

I am not completely sure, as I don't use foxit, but if I remember correctly, the problem with the last exploit on foxit was that it executed the binary without a dialog box. Adobe reader asked user to confirm with a dialog box. In my opinion something like that is not a vulnerability, so adobe had nothing to patch.

Re:Dupe Dupe

[phayes]

Yes, foxit has patched the vuln: http://forums.foxitsoftware.com//showthread.php?t=18044

Re:Dupe Dupe

This was a vulnerability in Foxit. Adobe Reader never had the vulnerability so it had nothing to patch. Title is misleading.

Re:Drop it like the disease it is

[abigsmurf]

You clearly didn't read the article or even the summary. This exploit affects Foxit too. It's an exploit of the PDF standard itself

Re:Drop it like the disease it is

[Duradin]

Doesn't the summary mention that Foxit is vulnerable to it as well?

"The exploit affects Foxit as well as Adobe Acrobat software."

Microsoft to Blame

[MyLongNickName]

As has alreay been pointed out, the worst this "exploit" can do is elevate to the same rights as the user. As anyone with a CS degree (or even any true IT experience) would know, these rights should be limited.

Now, Microsoft has for DECADES pushed the paradigm of giving the user administrative rights. Sure, they are making solf half-hearted attempts now to change this. But they created an environment of 3rd party software relying on this full rights model... and it is biting us all on the butt.

So, as usual, Microsoft is to blame.

Re:Microsoft to Blame

and it is biting us all on the butt.

Assuming "us all" means Windows users, yeah.

Re:Microsoft to Blame

[sopssa]

Most malware doesn't need root/admin access. It's only needed if you want to pwn or hack the server. Malware on the other hand runs just happily in userland too.

Re:Microsoft to Blame

[DIplomatic]

As has alreay been pointed out, the worst this "exploit" can do is elevate to the same rights as the user. As anyone with a CS degree (or even any true IT experience) would know, these rights should be limited.

Now, Microsoft has for DECADES pushed the paradigm of giving the user administrative rights. Sure, they are making solf half-hearted attempts now to change this. But they created an environment of 3rd party software relying on this full rights model... and it is biting us all on the butt.

So, as usual, Microsoft is to blame.

As anyone who checks /. (or has even been on the internet) would know, every time a vulnerability surfaces that affects Windows systems, the "M$ h8ers" come out of the woodwork.

Now these teenagers have for DECADES pushed the paradigm that if not for Microsoft and Windows, there would be no viruses or exploits, and the computing world would be a carefree, happy, command-line pleasure paradise. Sure, they make half-hearted excuses about Windows's bloated codebase and it's market penetration, and tech-un-savyy users. But every time I open a Slashdot article I have to slog through ignorant and off-topic comments blaming the big M for every botnet and script kiddie and nigerian phisher.

So, as usual, Linux is to blame.

Re:Microsoft to Blame

As has alreay been pointed out, the worst this "exploit" can do is elevate to the same rights as the user. As anyone with a CS degree (or even any true IT experience) would know, these rights should be limited.

Yeah, "limited" to shitting on all my data, which is the one thing I care about. Every mainstream OS goes to a great deal of trouble to protect its own bits, which can be reinstalled, and does fuck all to protect *my* bits. BTW, I do have an excellent CS degree. And I know that Linux and Windows have basically the same security model and it sucks.

Re:Microsoft to Blame

[Abcd1234]

As has alreay been pointed out, the worst this "exploit" can do is elevate to the same rights as the user.

Yeah, and then you're just a local privilege exploit away from being fully owned.

And this is ignoring the fact that malicious users can do plenty with a non-privileged account (here's hoping you don't store any sensitive information unencrypted in your home directory).

Re:Microsoft to Blame

[EvanED]

As has alreay been pointed out, the worst this "exploit" can do is elevate to the same rights as the user.

Which for single-user computers, that says "the worst this 'exploit' can do is close to the worse thing possible".

Re:Microsoft to Blame

[shutdown+-p+now]

Now, Microsoft has for DECADES pushed the paradigm of giving the user administrative rights.

Since you're apparently unaware of the fact, this paradigm was a de facto standard on all home desktop OSes in the 90s. MacOS was not any different, and even Unix-like OSes that were explicitly desktop-oriented used root by default (e.g. BeOS).

Re:Microsoft to Blame

Care to back that up fucktard? I guess not. More blather pulled out of your ass eh?

I wonder if Adobe Acrobat Reader 5.0 is affected.

I wonder if Adobe Acrobat Reader 5.0 is affected.

Google Docs

[areusche]

Screw adobe and other client side PDF readers. Am I vulnerable if I use Google's PDF viewer to view PDFs?t

Re:Google Docs

[kipd]

Nope, it has been executed server-side. We now have the Google botnet to worry about.

Re:Drop it like the disease it is

[Infiniti2000]

Really, throw that bloated, filthy piece of shitware to hell already and go with FoxIt.

You can at least RTFS.

The exploit affects Foxit as well as Adobe Acrobat software.

Why is this shit coming up every week?

[gzipped_tar]

I mean, is yet another Adobe exploit story really that newsworthy? Next you'll post stories on /. index page saying that water is found to be wet as usual.

Linux is more Secure than Windows

[headkase]

Linux is a lot different than running as root all the time on Windows. My security updates are pushed to me as they are fixed, not even pushing up to a month of vulnerability to patch unlike some systems meant to make corporate IT admins happy. All popular Linux distributions have an updating function: you get your security patches and patches to everything else in your repositories a lot more consistently than Windows. To deny this shows unfamiliarity with Linux. Thats even before you get into functions like selinux and apparmor which happen to be standard on my flavor. For everyone. This is also an Adobe bug, and doesn't affect most Linux PDF readers as far as I'm aware and even if it did I'd have a lot more faith that the Linux ones would be rendered immune more globally than the hodgepodge of updating (or lack of) systems on Windows. You're pointing the finger at Linux and saying: "You're vulnerable too!" But in the practical real world it is a case of not.

Re:Linux is more Secure than Windows

[sopssa]

It's not an Adobe bug, it's a feature in the PDF specs that can be exploited with user stupidity. That's the point I've been trying to made, no OS unless it's completely locked down a la iPhone will protect you from user stupidity. Not Windows, not Linux, not BSD.

Maybe Ubuntu pushes updates itself, but Debian, Fedora and CentOS doesn't. Not for me at least, and I haven't changed anything regarding that. If you want to update, you need to type in the yum update or apt-get update commands manually. And thats before we even get to programs or distros that have you compile themself and you have to make sure to periodically check them and keep them up to date.

Re:Linux is more Secure than Windows

[The+End+Of+Days]

You don't run as administrator in Windows anymore, either. Security updates are likewise pushed in windows. Windows has an updating function. Your statements all show unfamiliarity with Windows.

This is not an Adobe bug, this is a vulnerability in the PDF spec. Readers not from Adobe have already been shown to be vulnerable.

Linux is not immune, despite your specious claims.

Re:Linux is more Secure than Windows

[daveime]

Why would any document markup language have an executable function at all ?

And why, if this really is "part of the PDF spec", has every single PDF reader implemented this crazy functionality ?

One time where "following standards" has fucked us all up I guess.

Re:Linux is more Secure than Windows

[headkase]

You don't run as administrator in Windows anymore

Try running most Windows XP software and see what happens.

Security updates are likewise pushed in windows. Windows has an updating function

My update-manager updates all my installed programs. Windows Update does Windows and Office, everything else is hodgepodge.

Your statements all show unfamiliarity with Windows.

I am very familiar with Windows, it is one of the reasons I switched to Linux.

This is not an Adobe bug, this is a vulnerability in the PDF spec. Readers not from Adobe have already been shown to be vulnerable.

It is present in Adobe Reader, it has already been patched out of FoxIt and it never existed in XPDF.

Linux is not immune, despite your specious claims.

Linux is not immune but the singular fact that you are not running as root mitigates a lot of possible damage.

Re:Linux is more Secure than Windows

[commodore64_love]

Puppy Linux runs on root, so it would be vulnerable.

>>>doesn't affect most Linux PDF readers as far as I'm aware

Good point.

Re:Linux is more Secure than Windows

[headkase]

KPDF (now Okular) has specifically forbidden this behavior forever because it is a security risk. I use Okular myself so I am not vulnerable to this issue. Since it has been known so long to be a security issue in Linux-land why has Adobe allowed it so long? XPDF also is not vulnerable to this issue and so on. So it appears to be a tempest in a tea-cup for Linux and just another day on Windows.

Re:Linux is more Secure than Windows

[sopssa]

Xpdf and Okular on Windows aren't vulnerable either.
Adobe PDF Reader on Linux is vulnerable.

This goes to show that it doesn't matter which the OS is, as it's mostly about software or user stupidity. Windows and Linux are on par in this, neither one is better than the another. There is SELinux for Linux which can mitigate the issue, but there are such tools and settings for Windows too. Not that any casual user will put up with those in either system.

Re:Linux is more Secure than Windows

[headkase]

To say that Windows and Linux are on par for security borders on incredulous.

Re:Linux is more Secure than Windows

Nearly all my software works on Windows XP as well (and doesn't run with admin privileges), does that count?

Re:Linux is more Secure than Windows

While avoiding all of his insightful arguments that you don't want to answer to? That doesn't make you any better.

Re:Linux is more Secure than Windows

[jawtheshark]

Try running most Windows XP software and see what happens.

I keep hearing this repeated ad infintum. Since Win XP SP2, most software got adapted so it could run as Limited user. Even game developers got the message. The Sims 2 initially came out as "Admin only". That was patched within months when people complained.

Anyway, even for non-behaving software, it is usually a matter of setting User-Write-Permissions on the folder of the misbehaving application. If that doesn't help, set User-Write-Permission to the subkey the application created in HKEY_LOCAL_MACHINE. Fixes 99% of the applications. If anyone bothered, this could be automated with a script or an appplication that has a database with known misbehaving applications and the necessary fixes. If people can make something like "the PC decrapiefer", this should be feasible too.

Anyone with a remote clue can run Windows XP entirely as Limited User (for day to day operations, of course).

Only slightly related: this is why removing the Security tab in the Home Version of XP was a bad idea. I know there was a way to install it again, but I never found it back.

Re:Linux is more Secure than Windows

[headkase]

Linux build from 8 years ago? XP is still widely in use so it is fair to mention it, the average Linux build on a home computer (the target of this attack - servers have to need for Adobe Reader) are well newer than 8 years! I guess having Free updates to newer versions makes it a lot easier to stay current. His second response agreed with me. The third called me a fag. The fourth said it was a bug in the spec when every PDF viewer - except Reader - on Linux doesn't follow that part of the spec for security, and his last point denies that running as root is more severe than a limited account along with stating that everyone but idiots shouldn't have been running as root since NT. Nevermind that all the software on XP is broken when you're not root.

Re:Linux is more Secure than Windows

[LordLimecat]

Try running most Windows XP software and see what happens.

Yes, I recommend that to all of my clients. Some software really wants access to program files, but thats fixed with cacls on the directory. Very few programs actually need admin, even quickbooks (whose tech support guys will insist it does). And for the programs that really really need it, theres always runas; you dont need your whole shell running with admin priveleges.

It is present in Adobe Reader, it has already been patched out of FoxIt and it never existed in XPDF.

If you will read the article on this from several days ago, you will see that there was a PDF released which runs calc on windows, xcalc on unix, and whatever macs have on OSX. It is VERY MUCH a spec issue, NOT a windows issue. To repeat, THIS HAS BEEN DEMONSTRATED ON LINUX.

Re:Linux is more Secure than Windows

When will people understand that on most of the *desktop* systems out there the only important thing (home) is exactly the only one which can get fscked up anyway even if not running as root.
They can sniff my cookies, my passwords, read my files, install an user mode bot, but hey they can't rm -rf /.

Is like knowing that someone can rape you, remove your arms and legs, burn your skin with acids, push sticks into your eyes but knowing that you can't die. I wonder if you are feeling safe because of that.

Re:Linux is more Secure than Windows

[shutdown+-p+now]

Try running most Windows XP software and see what happens.

Unless you're running software that hasn't been updated in the last 5 years, it'll work just fine. For vast majority of home users, this will be the case. For enterprises, they may have a legacy line-of-business application written in 90s that needs Administrator - however, if you use a modern Windows OS (i.e. Vista/7), you just configure that particular application to request elevation when started.

In any case, Adobe PDF reader (or any third-party reader) most definitely doesn't require admin.

Oh, and even in XP days, being able to correctly work under unprivileged user account was a requisite for getting that "Designed for Windows XP" label on the box.

Re:Linux is more Secure than Windows

[sopssa]

And it's not Windows fault that some users can't seem to update their system. Would it be Linux fault if I ran Red Hat 2?

His last point doesn't deny that running as root is more severe than limited account. It says most malware doesn't need admin/root access and is correct. Are you reading some other post than me?

every PDF viewer - except Reader - on Linux doesn't follow that part of the spec for security

You mean Adobe PDF Reader for Linux? It sure does.

Re:Linux is more Secure than Windows

[abigor]

Nevermind that all the software on XP is broken when you're not root.

While I don't disagree with your other points, this statement is false. Nearly all widely-used XP software runs just fine under a user with limited rights, as this is how XP is run in any corporate environment.

Re:Linux is more Secure than Windows

[sopssa]

Xpdf on Windows doesn't follow the spec for security either. The separate applications have nothing to do with OS security. The point is, this vulnerability affects Linux too.

Re:Linux is more Secure than Windows

[jawtheshark]

I know there was a way to install it again, but I never found it back.

I knew I bookmarked it somewhere

Re:Linux is more Secure than Windows

No. It's just a matter of not having low standards.

By default if you run firefox on linux/windows as a normal user, if firefox gets pwned, everything you can access as a normal user is at risk. Same for most programs you run.

This security model is decades old and crap.

With more recent versions of Windows at least Microsoft sandboxes IE (it still can be bypassed in some cases by very clever and persistent people as the recent pwn2own competition shows- but those people will tell you upfront it's harder than pwning say OSX). This is less crap, but still far from good enough.

Yes there's apparmor for Linux, but Ubuntu's apparmor template for firefox is not enabled by default, and even if you enable it, it's way too lax to be secure (you might as well not enable it - it allows the browser to read and write almost everywhere you can read and write except a few places).

After so many decades, all we get from the OS makers are technically useless fluff like wobbly windows and UAC (the prompt is hardly any help - there are so many unsigned programs out there - so what does that yellow prompt effectively tell you? Nothing. And just because you get a blue prompt doesn't give you any idea about how much the program is going to change your system).

Re:Linux is more Secure than Windows

[Mister+Whirly]

To pretend that one OS is inherently superior in security over another also borders on incredulous. Anytime a specific OS is mentioned in a security discussion, that person has lost the discussion, and does not understand the entire concept of security. Security isn't software. Security isn't an operating system. Security is a set of practices and policies that apply to all software and operating systems regardless of what specific type they are.

Re:Linux is more Secure than Windows

[BrokenHalo]

And why, if this really is "part of the PDF spec", has every single PDF reader implemented this crazy functionality ?

I don't know, but according to TFA, there's an easy way to turn it off in the Adobe reader:
Edit > Preferences > Categories > Trust Manager > PDF File Attachments and clearing the box 'Allow opening of non-PDF file attachments with external applications'.

Re:Linux is more Secure than Windows

[icebraining]

By default if you run firefox on linux/windows as a normal user, if firefox gets pwned, everything you can access as a normal user is at risk. Same for most programs you run.

This security model is decades old and crap.

Why? I just run Firefox in a different user, which doesn't have write permission to anything except a download folder. So exploiting Firefox isn't enough to get access to my files.

Re:Linux is more Secure than Windows

[hairyfeet]

BTW if you either go to the Foxit site or even better run Filehippo update checker which will keep your Windows machine up to date with regards to 3rd party programs, you'll see that Foxit has already released a new version that fixes the bug.

So the TFA should probably read "affects previous versions of Foxit" as like Firefox Foxit is great about getting patches out there quickly when threats are found.

Re:Linux is more Secure than Windows

[Kitkoan]

no OS unless it's completely locked down a la iPhone will protect you from user stupidity.

It's not alway user stupidity, just how the system is designed. Even a closed system like the iPhone can be hacked by a third party without access to the computer itself. This exploit effected all smartphones, granted only iPhone's didn't get patched against it until 48 hours after the information about it went public.But it showed that it was possible, even given it's locked down nature.

Re:Linux is more Secure than Windows

[thsths]

> You don't run as administrator in Windows anymore, either.

And how many software packages still work then? Even Firefox had serious trouble with the update function under non-admin accounts until very recently.

> Security updates are likewise pushed in windows.

Pulled, to be precise. Via an Active-X plugin, yuck.

> Windows has an updating function.

No, it does not. The update "function" is a web site that sets of 3 security warnings in IE8.

> Your statements all show unfamiliarity with Windows.

Ditto.

Re:Linux is more Secure than Windows

[impaledsunset]

"We kpdf developers want to add it, but kde core developers won't allow it.

[...]

So unless you can convince the non believers you are not going to get that feature, sorry :-/"

Good quote from the discussion. That's how (many) people view disabling features for security reasons. The developers get to be called "non believers". How do you tell these users how bad the feature they want is? And these are geeks posting bugs, and developers, not average Joes. The average Joe might even refuse to use the more secure version, even though he's most vulnerable, ironically.

Re:Linux is more Secure than Windows

[Pentium100]

Linux is a lot different than running as root all the time on Windows.

Let's say that there are no exploits to get root access on a Linux system. What can malware do with limited user account?

rm -rf /home/user - would work, but useless
sending spam - you don't need root access to send mail, do you?
participating in a botnet - you don't need root access to open a port and give shell to whoever is connecting.
searching user files for valuable information - would work

I don't know if a keylogger would work without root access.

So, a trojan (malware pretending to be a legitimate app) or a browser/reader exploit would still work.

Re:Linux is more Secure than Windows

[plague3106]

And how many software packages still work then? Even Firefox had serious trouble with the update function under non-admin accounts until very recently.

Pretty much all of them. That OSS people can't code properly on Windows doesn't suprise me in the least.

Pulled, to be precise. Via an Active-X plugin, yuck.

Linux updates are pulled too. Oh, and there's Automatic Update service which doesn't require activex and will still download updates for you. Just the user initiated UI was a web page, and starting with Vista that's not even true anymore.

No, it does not. The update "function" is a web site that sets of 3 security warnings in IE8.

Control panel -> Automatic Updates -> Check to download, or download and install automatically. No need to open a browser.

You seem to be less familiar with Windows that the other was with Linux.

Re:Linux is more Secure than Windows

[Red+Flayer]

That's the point I've been trying to made, no OS unless it's completely locked down a la iPhone will protect you from user stupidity. Not Windows, not Linux, not BSD.

Tha'ts not the point you were trying to make in your OP. The point you were trying to make in your OP was that the exploit is worse in Linux than in Windows. I quote>

Since it's part of the PDF specs, it should work in Linux too. What's even worse than with Windows is that...

Another reason why it would be even more serious on Linux is the way you can pipe commands

Since most Linux systems dont even have the kind of application firewalls or antiviruses that Windows does, and because the Internet accessing is actually done via wget, they don't even get any kind of a "Give internet access to this application?" dialog.

You're clearly attempting to make the case that Linux is worse for security in this case than Windows.

It's OK. You can do that. Just don't lie and pretend you're doing something different.

Re:Linux is more Secure than Windows

[Red+Flayer]

You don't run as administrator in Windows anymore, either.

Speak for yourself, wimp.

Only weaklings run with any permissions profile other than root, no matter what OS they use.

Want to learn how you too can be a manly man and run as root?

Read more here.

Re:Linux is more Secure than Windows

You don't run as administrator in Windows anymore, either.

By default, on the current version of Windows (Windows 7), you are an administrator. You are issued a "split token" by the OS that takes those privileges away, but the second you need administrative rights those rights are granted automatically and silently. Contrast this to Linux, where, by default, you have no administrative rights. If you don't run as an administrator on Windows, good for you--but you are the minority.

Security updates are likewise pushed in windows. Windows has an updating function. Your statements all show unfamiliarity with Windows.

The Windows updating function doesn't work for third-party software. In order to update third-party software, you need admin rights. Contrast this to Linux, where the update mechanism can update third-party software without administrative rights. Your statements indicate that you have never attempted to use third-party software on Windows.

This is not an Adobe bug, this is a vulnerability in the PDF spec. Readers not from Adobe have already been shown to be vulnerable.

Linux is not immune, despite your specious claims.

Okular (the PDF reader for KDE) is immune, and has been for as long as I can remember, because they decided that part of the spec was too insecure to implement. I'm sure you can point out exactly how it's vulnerable though, since you know for a fact that it is.

Re:Linux is more Secure than Windows

Oh really? Last time I checked the specs for adobe in linux it lacked support for this exploit. It required some win only launch drivers. Maybe there was more to it and a way to run a command on linux, but I didn't see any.

Re:Linux is more Secure than Windows

[cababunga]

Xpdf and Okular on Windows aren't vulnerable either. Adobe PDF Reader on Linux is vulnerable.

With only the difference that Linux comes with Xpdf and Okular, so Linux users rarely bother to install Adobe's product, while most Windows users won't even know about existence of the secure alternatives.

Re:Linux is more Secure than Windows

[afidel]

I'll give you a real world example of how this functionality is used. We used Adobe standard to export email from our Lotus Notes email system so that any legal records can be imported into our content management system, these archives are a complete copy of the email records including metadata and attachments stored within a PDF file. Clicking on an attachment in the archive opens the system default viewer for that file type. Turning this feature off would significantly reduce the functionality and user friendliness of the solution.

Re:Linux is more Secure than Windows

[chrb]

Adobe PDF Reader on Linux is vulnerable.

I never understood why people bothered with Acrobat Reader on Linux - KPDF/Okular has been smaller, faster and nicer looking for years, and it integrates better with the KDE desktop. I'd imagine the same it true of whatever Gnome uses?

Re:Linux is more Secure than Windows

Under a limited user account it would also have pretty limited options when it comes to starting itself automatically or hiding itself to avoid detection. It would also be much easier to clean up afterwards, since it was contained and didn't have the ability to bury additional crap elsewhere in the filesystem. In the meantime, at least the malware would also be unable to tamper with any files in any other users' home directories. Nor would it be able to monitor network traffic, open sockets on ports below 1024, disable anti-virus/intrusion detection software, inject itself into other processes, access deleted files, hijack other services to steal additional credentials, etc. So, while it would still be able to do some basic things, it's capabilities for further attacks, maintaining access, and avoiding detection are quite limited compared to what could be done if it had root/Administrator privileges.

Re:Linux is more Secure than Windows

[0ld_d0g]

Nevermind that all the software on XP is broken when you're not root.

Thats a curious way to argue against security.

"Hey I can't run all this badly written software on Windows unless I run as root, therefore Windows is insecure !"

Re:Linux is more Secure than Windows

Ditto, except I run Chrome in its own VM.

Re:Linux is more Secure than Windows

[vegiVamp]

I fully agree, and had I modpoints I'd simply add a +1 insightful to your score.

Since I haven't, though, I'd like to point out that while it is true that you can't simply equate security with a piece of software, you *can* compare how well two teams of developers (try to) adhere to those practices and policies.

I have a feeling that Linus and the people who verify kernel patches have a better track record in that than the people at Microsoft who decide that a given feature WILL BE in the next release, regardless of developers pointing out that it's not quite finished yet.

Re:Linux is more Secure than Windows

[Mister+Whirly]

I would argue that is mostly due to the fact that when Microsoft screws something up and breaks something with a patch or upgrade, millions of business workstations may be rendered useless and bring work to a screeching halt. Microsoft can't afford to screw up with a security patch, literally.

Re:Linux is more Secure than Windows

[V+for+Vendetta]

[...] or even better run Filehippo update checker

Thanks, but I prefer Secunia's PSI. When it comes to security (patches), I trust Secunia more than FileHippo

Re:Linux is more Secure than Windows

[Red+Flayer]

If the mod who modded that troll bothered to follow the link, he would have understood the context of the way I worded that post.

There sure seems to be a deficiency of humor here...

Re:Linux is more Secure than Windows

[hairyfeet]

Why? Have you EVER gotten a virus or even a bad file from Filehippo? Because I haven't, and I have been using Filehippo pretty extensively in my repair shop. The Filehippo Update Checker makes it simple for even the most non tech user to keep their 3rd party apps up to date easily and simply.

Saying you simply prefer one over the other is fine, but saying you "trust" Secuina more than Filehippo implies that Filehippo isn't trustworthy, for which I must ask for citations.

Re:Linux is more Secure than Windows

[V+for+Vendetta]

The difference is - as I see it - that the FileHippo is "just" a new version checker, whereas the PSI checks for software versions on your PC that have known vulnerabilities. You know, an older version isn't necessarily a security risk. The PSI is also a bit more verbose as to what and why it lists the updates. Also, FileHippo is "just" an ordinary download site (correct me, if I'm wrong), whereas Secunia is in the security business.

I'm not saying that FileHippo is bad. And I admit that using the verb "trust" wasn't perhaps the best choice (attribute that to the fact that English is not my native language). Let's say I find PSI more informative. The enterprise version (which I haven't tried yet), is supposed to let you handle 3rd party updates via WSUS.

Code, meet data

[Gothmolly]

Why can a document execute anything?

Re:Code, meet data

[Tridus]

Because some genius thought that it was a great idea to put a launch command in the PDF spec.

Seems like it's working as intended.

Re:Code, meet data

[Animats]

Because some genius thought that it was a great idea to put a launch command in the PDF spec.

Yes. That should formally be removed from the ISO standard.

I tried the proof of concept code in SumatraPDF, and it didn't work. But may be a bug in SumatraPDF; there's an error message about a sync file failure.

Re:Code, meet data

Because some genius thought that it was a great idea to put a launch command in the PDF spec.

I looked up the spec last time this came about. My reading shows the launch command is intended to launch a file in another application, but using the URI format, so it is not supposed to be able to launch a specific application, just a file the OS picks an application to open based upon the data type. It seems Adobe implemented it out of spec and Foxit copied them (probably for interoperability)

Re:Code, meet data

I tried the proof of concept code in SumatraPDF, and it didn't work. But may be a bug in SumatraPDF; there's an error message about a sync file failure.

It's not a bug, it's a feature :)

for more info

[bl8n8r]

A little better than the crummy cnet write-up. http://blog.didierstevens.com/

pdftotext

[Curmudgeonlyoldbloke]

Presumably xpdf's "pdftotext" isn't vulnerable?

Re:Drop it like the disease it is

[RMS+Eats+Toejam]

Really, throw that bloated, filthy piece of shitware to hell already and go with FoxIt. And, yes, I think my use of the word FUCK is warranted here.

I agree. Fuck is warranted here. You are too fucking lazy to read the summary or too fucking stupid to understand it.

The exploit affects Foxit as well as Adobe Acrobat software.

"Security firm"

[Spyware23]

"More woes for Adobe [i]as security firm[/i] creates proof-of-concept attack that injects"

"As security firm"? Who does the article mean, Jeremy Conway of NitroSecurity, or Didier Stevens, working for Contraste Europe? Also, it would've been nice if the article linked to an article Jeremy wrote titled "Implications of Recent PDF /Launch Hacks", this article can be found here: http://siemblog.com/2010/04/implications-of-recent-pdf-launch-hacks/

Dupe

[MobyDisk]

Dupe from Slashdot, March 31st

It's a dupe!

[RotsiserMho]

See http://slashdot.org/story/10/03/31/1834255/New-Method-Could-Hide-Malware-In-PDFs-No-Further-Exploits-Needed

Re:Drop it like the disease it is

The exploit was actually WORSE if you were using Foxit. Acrobat Reader would pop up a warning about running an executable, but Foxit wouldn't warn, it would just run it. On the other hand, Foxit has already issued an update.

Windows is most affected by this exploit

[StuartHankins]

As others may have stated -- but I definitely want to underline -- the broken security model of Microsoft Windows causes significant potential for harm by this exploit. I guess if you run Windows you're accustomed to grabbing your ankles though.

I'm at the point where if you run Windows and have the audacity to complain about the exploits, bugs, worms, trojans, et al, you get no sympathy from me. The world has known about Microsoft's crappy security for decades, and Microsoft has done little to improve it. How many unscheduled patches have rolled out their door lately? Why do they have a "malicious software removal tool" updated monthly? (Hint: it's not because Windows is well-designed)

To use a car analogy, Microsoft produces cars, all of which have this huge hole in their roofs. Instead of redesigning the roof or putting something over the hole, they want you to buy a carpet replacement subscription. Each time, you dole out the money for a new copy of Windows, thinking "this will be the one!" and each time you are disappointed. When will you get smart?

I'm not quite ready to say that Microsoft chooses to have broken security, but it's obvious -- if that's not the case -- that Microsoft clearly doesn't understand security. But is that really better? How many people do you know who have been infested with viruses, trojans, etc on Windows operating systems? How many of those got infected despite installing antivirus software and keeping their machines up-to-date? Nowadays having only antivirus on a Windows machine is just asking to be rooted, and I don't think it's the new computer users' fault. It's getting worse every day.

Re:Windows is most affected by this exploit

[sexconker]

Troll more.

In windows, you can do things.
You can run software which does things.
If you have the rights to do X, software you run also has that right.

If you have any Windows system made in the last 12 years, you have the ability to run as a restricted user. If you have any Windows system made in the last 8 and a half years, you run as a restricted user by default.

Microsoft does not control the software developers that write applications for Windows. Microsoft does not audit every line of code they write. Microsoft has no way of knowing whether what program X wants to do is good or bad.

What would you prefer Microsoft do? Make it impossible for a user to do X, just to prevent possibly malicious usage of X by programs?
Would you prefer they make it impossible to install any software not digitally signed by Bill Gates himself?

Do you want MS to maintain a repository of every single executable out there? (Hint: Tens of millions for windows, thousands for Linux).

Re:Windows is most affected by this exploit

[Zironic]

Only that the hole in the roof is a requested feature, without which they wouldn't be able to sell their operating system (backwards compatibility).

Re:Windows is most affected by this exploit

[shutdown+-p+now]

As others may have stated -- but I definitely want to underline -- the broken security model of Microsoft Windows causes significant potential for harm by this exploit.

So far, no-one has explained how Windows is any more vulnerable to this exploit, unless running under an administrative account (which hasn't been the default for the last 2 major OS releases).

So, care to explain what is "broken" about Windows
security model vis-a-vis Unix one?

Re:Windows is most affected by this exploit

[mcgrew]

My car has a hole in its roof called a "sunroof", but I can close it with the touch of a button. If it rains in, that's my fault, not the car manufacturer. But a Windows sunroof won't close, and that's Windows' fault.

Being a multi-billion dollar company whose OS is installed on almost every computer sold, Microsoft has the wherewithall to create a secure, backwards compatible OS. The thing is, they don't have to because their OS is installed on almost every computer sold. There's no incentive for them to design and build a secure OS.

Your comment, sir, is vapid.

[Frosty+Piss]

Nobody uses the root account in Linux for everyday activity.

Really? More than you think...

So no worries about the system in general.

Dangerous assumptions continue...

Re:Drop it like the disease it is

[clone53421]

As it’s apparently a standard PDF feature, giving it a shot to run whatever command line its author desires...

Yeah, it would affect anything that supported that feature.

Note that the clean pdf, after it is infected, pops up the window asking to run “firefox.exe sudosecure.net”. I’m not sure exactly how he did it, but note that there is a huge mass of text (judging from the scrollbar) above the “it’s okay, let me do this” message in the evil pdf. He’d have to somehow create a malicious binary and then execute it. One suspicion I have... a polyglot.

evil.txt:

%bad stuff here... bla bla bla, execute me from the command prompt

Then...

copy /b evil.txt + clean.pdf evil.pdf

Result: evil.pdf opens just fine in Acrobat Reader, but it has the injected code at the beginning, disguised as a comment.

No comment of whether it is specific to 32-bit or 64-bit versions of Windows... and why might that be significant, you ask? Because 64-bit versions of windows do not include DEBUG.EXE.

Does it use a single code base ...

[lwriemen]

... to run multi-platform? >;->

http://developers.slashdot.org/story/10/04/04/1627226/Multi-Platform-App-Created-Using-Single-Code-Base

OT: Do non-Adobe PDF apps less vulnerable?

[guanxi]

Would switching to a non-Adobe PDF viewer make you safer? I understand this exploit affects Foxit, but there are many other exploits and PDF viewers (MacOS X's Preview, Ghostview/GSView, CutePDF, Nitro, etc.).

Usually the headline says the exploits are in Acrobat; and given Adobe's much larger installed base, they are a much more likely target; but perhaps the exploits are really in PDFs (or JavaScript) in general.

Re:OT: Do non-Adobe PDF apps less vulnerable?

[Skuld-Chan]

Actually in this case - foxit just runs the exe without displaying the "do you really want to open this" warning Reader gives you.

Re:OT: Do non-Adobe PDF apps less vulnerable?

Actually in this case - foxit just runs the exe without displaying the "do you really want to open this" warning Reader gives you.

Actually, Foxit is no longer vulnerable to this exploit since they issued a security patch that should have auto-updated by now.

Re:OT: Do non-Adobe PDF apps less vulnerable?

[el+chief]

I use gPDF, which is an add-on for FireFox, etc. It changes your PDF links such that they open in google's PDF viewer instead of acrobat or foxit a) faster b) secure(r?) c) no update popups

Re:OT: Do non-Adobe PDF apps less vulnerable?

Mac OS X's Preview is *immune* because it does not implement /launch.

Re:OT: Do non-Adobe PDF apps less vulnerable?

[Skuld-Chan]

And you can roll your own patch for Acrobat by changing a few registry keys. What is the difference?

Not really an exploit...

[Skuld-Chan]

This feature is in the PDF specification, and in fact in the youtube video you'll notice that the trust manager warning is pretty severe "only do this if you trust the PDF" sort of thing.

To me its akin to downloading an EXE from a website with a browser and clicking the open button...

Re:Not really an exploit...

[Yvan256]

Why does a document format need to have the ability to external executable files in the first place?

Re:Not really an exploit...

[Skuld-Chan]

Name one document format that doesn't?

Even html - you can go to any number of websites that will pop up EXE's for you to download without you clicking on anything. Heck - you can even embed executables with Java inside html using browser plugins or its native javascript.

Re:Drop it like the disease it is

You clearly didn't read the last week's Slashdot article. This exploit is already fixed in Foxit.

PDF Alternative?

[shdowhawk]

One of the tags says "saynotopdf" (Say no to PDF). I'm just curious to know if someone has knows or has need a useful alternative?

Between the format wars (.doc, .docx, open office .doc, .odt, etc) and between the HTML / Browser standards (ie6, ie7, ie8, firefox, safari, opera, etc), PDF seems to be the only consistent way to view things across all OS's. Sadly, it's very useful for that reason...

Quick google search didn't show anything useful except for a /. article from 2006 (Unipage) ... But the link on that page is dead now. Googling "unipage" didn't seem to show anything useful after 2007 (Investintect.com)

Any Ideas?

Re:PDF Alternative?

[Cro+Magnon]

Between the format wars (.doc, .docx, open office .doc, .odt, etc) and between the HTML / Browser standards (ie6, ie7, ie8, firefox, safari, opera, etc), PDF seems to be the only consistent way to view things across all OS's. Sadly, it's very useful for that reason...

There's always txt files. They might be ugly and no bells/whistles, but AFAIK, nobody's ever gotten infected by one.

Re:PDF Alternative?

Yeah sure if I rename a .TXT file to .COM or .EXE but even so ...

Re:PDF Alternative?

DjVu

Apparently the format is in use by hundreds of web sites.

Or perhaps you would prefer Microsoft's XPS format as a PDF replacement.

Re:PDF Alternative?

[colinrichardday]

TeX/LaTeX. You can even convert to pdf.

portable DOCUMENT format

Why can't there be a standard of just layout, for a document. I don't want or need javascript, or embedded executable, or interactivity.
I always thought that's what PDF was, then all these exploits surfaced, mostly for stuff that I don't want or need (or even knew PDF had and allowed!)

I've also set up my browsers to open PDFs in GoogleDocs, which seems to be a tad safer.... maybe...

Re:Drop it like the disease it is

Can we please stop calling this an "exploit"?

As stated by numerous other individuals it's in the ISO spec, so it is literally a feature not an exploit. The hack is to change the warning message in a social engineering feat. Instead of Adobe's "Srsly d00d u want 2 open these hax.exe??" the user gets "Click allow to view this encrypted pdf" or even something more suitable for different social engineering attempts. The analogy to downloading a .exe from a website and clicking open is pretty accurate, but you can't change the message in that box to mask the executable about to be called.

So to sum this up:
-launching an executable from a PDF is a feature
-changing the warning message can be exploited in a social engineering attempt

Still using Acrobat Reader?!

With these weekly major security exploits coming out now, does anyone actually still use Acrobat Reader at their place of work!?!

I thought for the most part 3rd party readers were immune to this crap as well, but i've heard of foxit being exploitable as well for the last few

I've switched the company that I admin for to Sumatra PDF long ago because i got tired of chasing after the weekly updates and applying them to all the machines. Also because of the continued bloat of Acrobat Reader.

Something's really wrong when for the most part Sumatra can cover the major needed functionality in just a few MB, when reader has bloated up into the tripple digit MB

A user only gets Acrobat if they can prove a valid need such as a PDF that wont display properly in Sumatra.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Or maybe they didn't fix it...

[WD]

At least according to Didier:
http://blog.didierstevens.com/2010/04/06/update-escape-from-pdf/

ZOMG, ur a f4g!

You should stick to posting your faggoty copypasta about Kelvins, because everything else you post is as gay as AIDS.

You and sopssa (ASS POS, amirite?) need to die in a fire.

Re:Drop it like the disease it is

[mister_playboy]

The summary is inaccurate. Foxit has already patched this problem in the current version.

Foxit?

... well, yes, it does, rather...

Re:Drop it like the disease it is

[dudpixel]

so its a feature that can be exploited (easily). deal with it.

Re:Drop it like the disease it is

[virgilp]

Well... let's see what they understand by "fixing it" in FoxIt: they now give the warning dialog that Adobe's reader already gave.... except that for Adobe the default is "do not open" while for the "fixed" FoxIt the default is "open". Yeah, much more secure than Adobe, clearly.... In other news, let me remind you that all your web browsers are insecure: Someone can use "social engineering" techniques to get you to visit a web page, download a binary from there (trojan, maybe), and execute it. All you need to do is click a link, answer "Yes, run!" to the warning dialogs, and BAM! you're infected. Quite similar with this PDF "exploit", in fact.. So stop using your web browser, it exposes you to a serious security vulerability.... even if you disable Javascript! :D