Slashdot Mirror

← Back to Stories (view on slashdot.org)

No JavaScript Needed For New Adobe Exploits

Posted by CmdrTaco on from the this-will-end-badly dept.

bl8n8r writes "More woes for Adobe as a security firm creates a proof-of-concept attack that injects malicious code as part of the update process. The user only needs to click a dialog box to execute the code and no JavaScript is needed to launch the exploit. The exploit affects Foxit as well as Adobe Acrobat software. This exploit is made possible through the host software allowing execution of system binaries. Not clear if it's multi-platform, but seems plausible."

10 of 187 comments (clear)

  1. Linux is vulnerable too by sopssa · · Score: 3, Informative

    Since it's part of the PDF specs, it should work in Linux too. What's even worse than with Windows is that since 'rm' is just a normal binary the PDF can launch that, and if you run as root privileges, just issue a command like "rm -rf /". If you don't run as root, then for example Ubuntu should give you the sudo box to input password to. This of course being just one of the examples it could do. Remember that most malware doesn't even need root access to function.

    Another reason why it would be even more serious on Linux is the way you can pipe commands and how most systems come pre-packaged with a ton of little utility apps. You can create the whole malware with a series of commands, or wget a bash script from the internet and start that to hide even more malware in the system. Since most Linux systems dont even have the kind of application firewalls or antiviruses that Windows does, and because the Internet accessing is actually done via wget, they don't even get any kind of a "Give internet access to this application?" dialog.

    It also doesn't help at all that most Linux users (especially those who are told so by the geeks!) believe that Linux cannot get malware. In my opinion this is a really stupid thing to do from those promoting Linux or Mac OS X as it will just lead to false sense of security.

    1. Re:Linux is vulnerable too by caffeinemessiah · · Score: 4, Informative
      Maybe you should actually, you know,...use Linux before you attempt to troll about security.

      What's even worse than with Windows is that since 'rm' is just a normal binary the PDF can launch that, and if you run as root privileges, just issue a command like "rm -rf /". If you don't run as root, then for example Ubuntu should give you the sudo box to input password to. This of course being just one of the examples it could do. Remember that most malware doesn't even need root access to function.

      Nobody uses the root account in Linux for everyday activity. In Ubuntu, root login is even disabled by default (you have to sudo). So no worries about the system in general. Although it's pretty devastating to issue a "rm -rf ~" to delete the user's home directory, it's on par with Windows. Then you say that most malware doesn't even need root access to function, but on all the millions of XP boxes out there, it's already given root access by default.

      Another reason why it would be even more serious on Linux is the way you can pipe commands and how most systems come pre-packaged with a ton of little utility apps. You can create the whole malware with a series of commands, or wget a bash script from the internet and start that to hide even more malware in the system.

      Windows has a pipe function too, in addition to being able to zoink your whole file system with a simple "del". It also comes with ftp and telnet, which are handy replacements for wget. In short telnet+response file = download an .exe from the web = any sort of functionality you might want using Unix command line tools.

      Your comment, sir, is vapid.

      --
      An old-timer with old-timey ideas.
    2. Re:Linux is vulnerable too by sopssa · · Score: 4, Informative

      If it can't boot after a vulnerability is exploited or you can't remove it within 30 minutes then have it count doubly so.

      The days when malwares purpose to trash the system to an unbootable state have been over for 15 years. Now a days you don't really even notice them being on your machine unless its one of those which show fake virus alerts. How would you notice if it just starts sending spam or sniffing your passwords?

      Another point is that you can fairly easily hide in a Linux system. If you absolutely need root access, there have been serious privilege escalation exploits over the years. Most of the Linux systems aren't even necessarily being patched consistently. I've seen one of these privilege exploits used on many hosting companies that usually keep their systems up to date and secure too. That beside the point that it's not usual that you even need root access.

  2. Dupe Dupe by Nerdfest · · Score: 5, Informative

    I believe this exploit has already been patched in FoxIT, assuming this is the same exploit descibed here on SlashDot 2 weeks ago. Strangely, I haven't seen an update from Adobe ...

    1. Re:Dupe Dupe by phayes · · Score: 4, Informative

      Yes, foxit has patched the vuln: http://forums.foxitsoftware.com//showthread.php?t=18044

      --
      Democracy is a sheep and two wolves deciding what to have for lunch. Freedom is a well armed sheep contesting the issue
  3. Re:Drop it like the disease it is by abigsmurf · · Score: 4, Informative

    You clearly didn't read the article or even the summary. This exploit affects Foxit too. It's an exploit of the PDF standard itself

  4. Dupe by MobyDisk · · Score: 4, Informative

    Dupe from Slashdot, March 31st

  5. Re:Linux is more Secure than Windows by headkase · · Score: 4, Informative

    KPDF (now Okular) has specifically forbidden this behavior forever because it is a security risk. I use Okular myself so I am not vulnerable to this issue. Since it has been known so long to be a security issue in Linux-land why has Adobe allowed it so long? XPDF also is not vulnerable to this issue and so on. So it appears to be a tempest in a tea-cup for Linux and just another day on Windows.

    --
    Shh.
  6. Not really an exploit... by Skuld-Chan · · Score: 5, Informative

    This feature is in the PDF specification, and in fact in the youtube video you'll notice that the trust manager warning is pretty severe "only do this if you trust the PDF" sort of thing.

    To me its akin to downloading an EXE from a website with a browser and clicking the open button...

  7. Re:Drop it like the disease it is by Anonymous Coward · · Score: 4, Informative

    You clearly didn't read the last week's Slashdot article. This exploit is already fixed in Foxit.