Slashdot Mirror

← Back to Stories (view on slashdot.org)

No JavaScript Needed For New Adobe Exploits

Posted by CmdrTaco on from the this-will-end-badly dept.

bl8n8r writes "More woes for Adobe as a security firm creates a proof-of-concept attack that injects malicious code as part of the update process. The user only needs to click a dialog box to execute the code and no JavaScript is needed to launch the exploit. The exploit affects Foxit as well as Adobe Acrobat software. This exploit is made possible through the host software allowing execution of system binaries. Not clear if it's multi-platform, but seems plausible."

14 of 187 comments (clear)

  1. Linux is vulnerable too by sopssa · · Score: 3, Informative

    Since it's part of the PDF specs, it should work in Linux too. What's even worse than with Windows is that since 'rm' is just a normal binary the PDF can launch that, and if you run as root privileges, just issue a command like "rm -rf /". If you don't run as root, then for example Ubuntu should give you the sudo box to input password to. This of course being just one of the examples it could do. Remember that most malware doesn't even need root access to function.

    Another reason why it would be even more serious on Linux is the way you can pipe commands and how most systems come pre-packaged with a ton of little utility apps. You can create the whole malware with a series of commands, or wget a bash script from the internet and start that to hide even more malware in the system. Since most Linux systems dont even have the kind of application firewalls or antiviruses that Windows does, and because the Internet accessing is actually done via wget, they don't even get any kind of a "Give internet access to this application?" dialog.

    It also doesn't help at all that most Linux users (especially those who are told so by the geeks!) believe that Linux cannot get malware. In my opinion this is a really stupid thing to do from those promoting Linux or Mac OS X as it will just lead to false sense of security.

    1. Re:Linux is vulnerable too by caffeinemessiah · · Score: 4, Informative
      Maybe you should actually, you know,...use Linux before you attempt to troll about security.

      What's even worse than with Windows is that since 'rm' is just a normal binary the PDF can launch that, and if you run as root privileges, just issue a command like "rm -rf /". If you don't run as root, then for example Ubuntu should give you the sudo box to input password to. This of course being just one of the examples it could do. Remember that most malware doesn't even need root access to function.

      Nobody uses the root account in Linux for everyday activity. In Ubuntu, root login is even disabled by default (you have to sudo). So no worries about the system in general. Although it's pretty devastating to issue a "rm -rf ~" to delete the user's home directory, it's on par with Windows. Then you say that most malware doesn't even need root access to function, but on all the millions of XP boxes out there, it's already given root access by default.

      Another reason why it would be even more serious on Linux is the way you can pipe commands and how most systems come pre-packaged with a ton of little utility apps. You can create the whole malware with a series of commands, or wget a bash script from the internet and start that to hide even more malware in the system.

      Windows has a pipe function too, in addition to being able to zoink your whole file system with a simple "del". It also comes with ftp and telnet, which are handy replacements for wget. In short telnet+response file = download an .exe from the web = any sort of functionality you might want using Unix command line tools.

      Your comment, sir, is vapid.

      --
      An old-timer with old-timey ideas.
    2. Re:Linux is vulnerable too by sopssa · · Score: 4, Informative

      If it can't boot after a vulnerability is exploited or you can't remove it within 30 minutes then have it count doubly so.

      The days when malwares purpose to trash the system to an unbootable state have been over for 15 years. Now a days you don't really even notice them being on your machine unless its one of those which show fake virus alerts. How would you notice if it just starts sending spam or sniffing your passwords?

      Another point is that you can fairly easily hide in a Linux system. If you absolutely need root access, there have been serious privilege escalation exploits over the years. Most of the Linux systems aren't even necessarily being patched consistently. I've seen one of these privilege exploits used on many hosting companies that usually keep their systems up to date and secure too. That beside the point that it's not usual that you even need root access.

    3. Re:Linux is vulnerable too by thuerrsch · · Score: 2, Informative

      Well said. Also don't forget that Evince, the default pdf viewer in Gnome and in Ubuntu, is immune to this exploit, as confirmed by several comments on Didier Stevens' original announcement.

      So here we have another good reason not to use Acrobat Reader on Linux (or on anything else, for that matter), but also not to trust closed-source alternatives like FoxIt. Evince is fast, efficient, easy to use, has all the necessary features, nothing more, nothing less. And hey, there's even a Windows version!

      --
      most of what follows is true
  2. Dupe Dupe by Nerdfest · · Score: 5, Informative

    I believe this exploit has already been patched in FoxIT, assuming this is the same exploit descibed here on SlashDot 2 weeks ago. Strangely, I haven't seen an update from Adobe ...

    1. Re:Dupe Dupe by sopssa · · Score: 2, Informative

      Yes, Foxit patched it last week. It uses the same technique so the Foxit patch should work, but this new "exploit" just takes it a bit further in that the malware can be embedded in the PDF file.

    2. Re:Dupe Dupe by phayes · · Score: 4, Informative

      Yes, foxit has patched the vuln: http://forums.foxitsoftware.com//showthread.php?t=18044

      --
      Democracy is a sheep and two wolves deciding what to have for lunch. Freedom is a well armed sheep contesting the issue
  3. Re:Drop it like the disease it is by abigsmurf · · Score: 4, Informative

    You clearly didn't read the article or even the summary. This exploit affects Foxit too. It's an exploit of the PDF standard itself

  4. Dupe by MobyDisk · · Score: 4, Informative

    Dupe from Slashdot, March 31st

  5. Re:Linux is more Secure than Windows by headkase · · Score: 4, Informative

    KPDF (now Okular) has specifically forbidden this behavior forever because it is a security risk. I use Okular myself so I am not vulnerable to this issue. Since it has been known so long to be a security issue in Linux-land why has Adobe allowed it so long? XPDF also is not vulnerable to this issue and so on. So it appears to be a tempest in a tea-cup for Linux and just another day on Windows.

    --
    Shh.
  6. Re:Linux is more Secure than Windows by jawtheshark · · Score: 2, Informative

    Try running most Windows XP software and see what happens.

    I keep hearing this repeated ad infintum. Since Win XP SP2, most software got adapted so it could run as Limited user. Even game developers got the message. The Sims 2 initially came out as "Admin only". That was patched within months when people complained.

    Anyway, even for non-behaving software, it is usually a matter of setting User-Write-Permissions on the folder of the misbehaving application. If that doesn't help, set User-Write-Permission to the subkey the application created in HKEY_LOCAL_MACHINE. Fixes 99% of the applications. If anyone bothered, this could be automated with a script or an appplication that has a database with known misbehaving applications and the necessary fixes. If people can make something like "the PC decrapiefer", this should be feasible too.

    Anyone with a remote clue can run Windows XP entirely as Limited User (for day to day operations, of course).

    Only slightly related: this is why removing the Security tab in the Home Version of XP was a bad idea. I know there was a way to install it again, but I never found it back.

    --
    Ahhh...the great dumpster continuum. Many a free computer will be found there. -- sowth (748135)
  7. Not really an exploit... by Skuld-Chan · · Score: 5, Informative

    This feature is in the PDF specification, and in fact in the youtube video you'll notice that the trust manager warning is pretty severe "only do this if you trust the PDF" sort of thing.

    To me its akin to downloading an EXE from a website with a browser and clicking the open button...

  8. Re:Drop it like the disease it is by Anonymous Coward · · Score: 4, Informative

    You clearly didn't read the last week's Slashdot article. This exploit is already fixed in Foxit.

  9. Re:Linux is more Secure than Windows by hairyfeet · · Score: 2, Informative

    BTW if you either go to the Foxit site or even better run Filehippo update checker which will keep your Windows machine up to date with regards to 3rd party programs, you'll see that Foxit has already released a new version that fixes the bug.

    So the TFA should probably read "affects previous versions of Foxit" as like Firefox Foxit is great about getting patches out there quickly when threats are found.

    --
    ACs don't waste your time replying, your posts are never seen by me.