No JavaScript Needed For New Adobe Exploits

bl8n8r writes "More woes for Adobe as a security firm creates a proof-of-concept attack that injects malicious code as part of the update process. The user only needs to click a dialog box to execute the code and no JavaScript is needed to launch the exploit. The exploit affects Foxit as well as Adobe Acrobat software. This exploit is made possible through the host software allowing execution of system binaries. Not clear if it's multi-platform, but seems plausible."

Re:Linux is vulnerable too

[headkase]

Runs with the same privileges as the parent program. So it can kill my home folder, not "rm -rf /" And like every other security hole found so far it will be written out. Considering they all get written out the fair comparison would be comparing number and severity of vulnerabilities by platform. If it can't boot after a vulnerability is exploited or you can't remove it within 30 minutes then have it count doubly so.

Solution

[abigsmurf]

Have the dialogue control specify that you are potentially allowing the PDF to alter other documents (maliciously or otherwise).

It's not exactly the first time a method of using social engineering to trick people has been part of a standard. Altering the status bar in JavaScript in order to aid phishing attacks was one.

Google Docs

[areusche]

Screw adobe and other client side PDF readers. Am I vulnerable if I use Google's PDF viewer to view PDFs?t

Re:Code, meet data

[Animats]

Because some genius thought that it was a great idea to put a launch command in the PDF spec.

Yes. That should formally be removed from the ISO standard.

I tried the proof of concept code in SumatraPDF, and it didn't work. But may be a bug in SumatraPDF; there's an error message about a sync file failure.

Re:Drop it like the disease it is

[clone53421]

As it’s apparently a standard PDF feature, giving it a shot to run whatever command line its author desires...

Yeah, it would affect anything that supported that feature.

Note that the clean pdf, after it is infected, pops up the window asking to run “firefox.exe sudosecure.net”. I’m not sure exactly how he did it, but note that there is a huge mass of text (judging from the scrollbar) above the “it’s okay, let me do this” message in the evil pdf. He’d have to somehow create a malicious binary and then execute it. One suspicion I have... a polyglot.

evil.txt:

%bad stuff here... bla bla bla, execute me from the command prompt

Then...

copy /b evil.txt + clean.pdf evil.pdf

Result: evil.pdf opens just fine in Acrobat Reader, but it has the injected code at the beginning, disguised as a comment.

No comment of whether it is specific to 32-bit or 64-bit versions of Windows... and why might that be significant, you ask? Because 64-bit versions of windows do not include DEBUG.EXE.

OT: Do non-Adobe PDF apps less vulnerable?

[guanxi]

Would switching to a non-Adobe PDF viewer make you safer? I understand this exploit affects Foxit, but there are many other exploits and PDF viewers (MacOS X's Preview, Ghostview/GSView, CutePDF, Nitro, etc.).

Usually the headline says the exploits are in Acrobat; and given Adobe's much larger installed base, they are a much more likely target; but perhaps the exploits are really in PDFs (or JavaScript) in general.

Re:Linux is vulnerable too

In Ubuntu, root login is even disabled by default (you have to sudo).

The difference between root login and a non carefully restricted sudo setup (which is the default on Ubuntu installs), is virtually meaningless.