No JavaScript Needed For New Adobe Exploits

← Back to Stories (view on slashdot.org)

No JavaScript Needed For New Adobe Exploits

Posted by CmdrTaco on Tuesday April 6, 2010 @03:52AM from the this-will-end-badly dept.

bl8n8r writes "More woes for Adobe as a security firm creates a proof-of-concept attack that injects malicious code as part of the update process. The user only needs to click a dialog box to execute the code and no JavaScript is needed to launch the exploit. The exploit affects Foxit as well as Adobe Acrobat software. This exploit is made possible through the host software allowing execution of system binaries. Not clear if it's multi-platform, but seems plausible."

134 of 187 comments (clear)

Linux is vulnerable too by sopssa · 2010-04-06 03:52 · Score: 3, Informative

Since it's part of the PDF specs, it should work in Linux too. What's even worse than with Windows is that since 'rm' is just a normal binary the PDF can launch that, and if you run as root privileges, just issue a command like "rm -rf /". If you don't run as root, then for example Ubuntu should give you the sudo box to input password to. This of course being just one of the examples it could do. Remember that most malware doesn't even need root access to function.
Another reason why it would be even more serious on Linux is the way you can pipe commands and how most systems come pre-packaged with a ton of little utility apps. You can create the whole malware with a series of commands, or wget a bash script from the internet and start that to hide even more malware in the system. Since most Linux systems dont even have the kind of application firewalls or antiviruses that Windows does, and because the Internet accessing is actually done via wget, they don't even get any kind of a "Give internet access to this application?" dialog.
It also doesn't help at all that most Linux users (especially those who are told so by the geeks!) believe that Linux cannot get malware. In my opinion this is a really stupid thing to do from those promoting Linux or Mac OS X as it will just lead to false sense of security.
1. Re:Linux is vulnerable too by headkase · 2010-04-06 03:57 · Score: 2, Interesting
  
  Runs with the same privileges as the parent program. So it can kill my home folder, not "rm -rf /" And like every other security hole found so far it will be written out. Considering they all get written out the fair comparison would be comparing number and severity of vulnerabilities by platform. If it can't boot after a vulnerability is exploited or you can't remove it within 30 minutes then have it count doubly so.
  
  --
  Shh.
2. Re:Linux is vulnerable too by caffeinemessiah · 2010-04-06 04:03 · Score: 4, Informative
  
  Maybe you should actually, you know,...use Linux before you attempt to troll about security.
  
  What's even worse than with Windows is that since 'rm' is just a normal binary the PDF can launch that, and if you run as root privileges, just issue a command like "rm -rf /". If you don't run as root, then for example Ubuntu should give you the sudo box to input password to. This of course being just one of the examples it could do. Remember that most malware doesn't even need root access to function.
  Nobody uses the root account in Linux for everyday activity. In Ubuntu, root login is even disabled by default (you have to sudo). So no worries about the system in general. Although it's pretty devastating to issue a "rm -rf ~" to delete the user's home directory, it's on par with Windows. Then you say that most malware doesn't even need root access to function, but on all the millions of XP boxes out there, it's already given root access by default.
  
  Another reason why it would be even more serious on Linux is the way you can pipe commands and how most systems come pre-packaged with a ton of little utility apps. You can create the whole malware with a series of commands, or wget a bash script from the internet and start that to hide even more malware in the system.
  
  Windows has a pipe function too, in addition to being able to zoink your whole file system with a simple "del". It also comes with ftp and telnet, which are handy replacements for wget. In short telnet+response file = download an .exe from the web = any sort of functionality you might want using Unix command line tools.
  Your comment, sir, is vapid.
  
  --
  An old-timer with old-timey ideas.
3. Re:Linux is vulnerable too by sopssa · 2010-04-06 04:03 · Score: 4, Informative
  
  If it can't boot after a vulnerability is exploited or you can't remove it within 30 minutes then have it count doubly so.
  The days when malwares purpose to trash the system to an unbootable state have been over for 15 years. Now a days you don't really even notice them being on your machine unless its one of those which show fake virus alerts. How would you notice if it just starts sending spam or sniffing your passwords?
  Another point is that you can fairly easily hide in a Linux system. If you absolutely need root access, there have been serious privilege escalation exploits over the years. Most of the Linux systems aren't even necessarily being patched consistently. I've seen one of these privilege exploits used on many hosting companies that usually keep their systems up to date and secure too. That beside the point that it's not usual that you even need root access.
4. Re:Linux is vulnerable too by Voulnet · 2010-04-06 04:03 · Score: 1
  
  So it's about time Linux users get down to earth and learn "It's not the system, it's the user" the hard way?
5. Re:Linux is vulnerable too by Lunix+Nutcase · 2010-04-06 04:04 · Score: 1
  
  Except that it has been shown to not work on other PDF readers than Acrobat.
  
  The exploit affects Foxit as well as Adobe Acrobat software.
6. Re:Linux is vulnerable too by sopssa · 2010-04-06 04:05 · Score: 1
  
  Except that it has been shown to not work on other PDF readers than Acrobat.
  Did you even read the two-line summary?
  
  The exploit affects Foxit as well as Adobe Acrobat software.
  And that's the only software tested with. It's part of the PDF specs, so its likely other PDF readers are affected too.
7. Re:Linux is vulnerable too by Voulnet · 2010-04-06 04:07 · Score: 1
  
  No one is saying Linux is about as secure as XP, but the OP is saying that because of the spreading culture among many Linux users that there is no way they can get malware, this type of attack might easily fly under the radar. No need to compare to XP because we all know it's not a fair comparison!
8. Re:Linux is vulnerable too by sopssa · 2010-04-06 04:08 · Score: 1
  
  "del" is a Windows command, not an application. It doesn't work the same way.
  Also I know that most Linux users don't run as root - but just like with Windows, some people do it for convenience. Yes, there really are such people.. even I don't always su out of root even if some command between what I'm doing doesn't require root.
9. Re:Linux is vulnerable too by headkase · 2010-04-06 04:19 · Score: 1
  
  even I don't always su out of root even if some command between what I'm doing doesn't require root
  So how does this Adobe flaw get access to your root terminal to continue issuing commands? And if you are running your desktop session as root you are an idiot. Ubuntu doesn't even have root it has sudo and if you want to enable the root account ("sudo passwd root") you have to go out of your way to make your system insecure. The fact is that unlike Windows Linux programs are written to not require root. If you get a escalation prompt anywhere you didn't ask for it then that is proof enough that something nefarious is at work. The system is only as secure as you but by default Linux is more secure than Windows. You are free to move about from there.
  
  --
  Shh.
10. Re:Linux is vulnerable too by Nick+Number · 2010-04-06 04:20 · Score: 1
  
  In short telnet+response file = download an .exe from the web = any sort of functionality you might want using Unix command line tools.
  This is a minor point, as there are plenty of other malicious things you can do with a command line, but the built-in Windows telnet client doesn't support response files.
  
  --
  Promote proofreading. Don't mod up sloppy posts.
11. Re:Linux is vulnerable too by gzipped_tar · 2010-04-06 04:26 · Score: 1
  
  If Linux has made malware creation easier, it has also made defense against them easier too. For example, a simple SELinux policy change should nix this kind of exploit without forcing the PDF application to not follow the (shitty) standard and refuse to /launch things. Launch all you want, and just see them intercepted by SELinux mandatory access control.
  Or if you're feeling geeky, do it in your sandbox. http://www.linux-magazine.com/Online/News/SELinux-Sandbox-for-Untrusted-Programs
  
  --
  Colorless green Cthulhu waits dreaming furiously.
12. Re:Linux is vulnerable too by yossarianuk · 2010-04-06 04:27 · Score: 1
  
  But it only effects the official Adobe browser which no one with half a brain would be using in the first place (as faster/ lower memory and secure apps are bundled with gnome/kde)
13. Re:Linux is vulnerable too by sopssa · 2010-04-06 04:29 · Score: 2
  
  I suspect it uses normal exec(), just like it works in every other program.
  Almost any Windows program doesn't require root/admin now a days, and if they do, it's for a reason. You can't really compare to Windows 98 and the programs from that age. If we go that route, we might as well start digging the hundreds of privilege escalation and remote exploits that Linux in its history has had.
  You also don't need to run the whole desktop as root. You can launch Firefox by typing "firefox" in terminal (either in text-mode terminal, or the terminals in X), if it just has a desktop to connect to. This is how you start applications to a remote X desktop like Xming too.
14. Re:Linux is vulnerable too by EvanED · 2010-04-06 04:31 · Score: 1
  
  "del" is a Windows command, not an application. It doesn't work the same way.
  You can still run cmd /k "del /S /Q C:\".
15. Re:Linux is vulnerable too by The+MAZZTer · 2010-04-06 04:31 · Score: 1
  
  I'm not sure how he thinks rm is a normal binary but rmdir.exe isn't...
16. Re:Linux is vulnerable too by munrom · 2010-04-06 04:33 · Score: 1
  
  "del" is a Windows command, not an application. It doesn't work the same way.
  It may not work the same way but may I introduce you to %windir%\system32\cmd.exe -C del /F /S /Q C:\*, it's just as deadly to a system.
  
  Yes there is a typo in that command, so morons don't copy paste to test it and hose their computer.
17. Re:Linux is vulnerable too by dAzED1 · 2010-04-06 04:33 · Score: 1
  
  there is absolutely, positively, no one that "do[es] it for convenience" with any distro released in the last bloody decade that has any statistically relevant user base. Every little tool along the way would complain about you being root, nagging you until the easiest thing to do is to just log in as a regular user.
18. Re:Linux is vulnerable too by EvanED · 2010-04-06 04:34 · Score: 1
  
  The vast majority of currently circulating viruses/malware requires Administrator privileges.
  Only 'cause the malware is as poorly written as many applications, or it requires admin privileges to spread. If you remove the latter requirement (e.g. by exploiting holes in PDFs), then there's no reason that the malware would need admin rights.
19. Re:Linux is vulnerable too by sopssa · 2010-04-06 04:36 · Score: 1
  
  But SELinux is pain in the ass and generally disabled on every desktop oriented Linux distro like Ubuntu. I also doubt any casual users will go (or even know about) some SELinux policy change. Windows has the same kind of tools and settings available, so it all boils down to how knowledgeable the user is about security. The choice of OS can't really help much with that.
20. Re:Linux is vulnerable too by gmuslera · 2010-04-06 04:39 · Score: 1
  
  Usually you don't use those linux servers on hosting companies as desktops where you run acrobat reader. And desktops/notebooks/etc are usually more frequently updated (both as using new distributions or with patches available in the case you prefer to stick with a non latest version).
  
  But anyway, you don't need root access to do most of what botnets/spambots do, with plain user access is bad enough. And targetted attacks could access most of what the user do without needing to go root neither.
21. Re:Linux is vulnerable too by weicco · 2010-04-06 04:40 · Score: 1
  
  As already said, malware doesn't need to run as root or Administrator.
  But then it comes to sudo prompt / UAC. How are you going to educate old granny not to enter root/admin password when OS asks for it unless there a valid need for it? Heck, I've playing and working with computers (C64, C128, Amiga, PC Windows/Linux/BSD, Sparc/Solaris etc. etc.) for 25 years now and even I can't always tell when UAC (yes, I'm using Vista currently) prompt is valid or not! Just yesterday some Java-piece-of-crap asked for admin privileges all the sudden and I said heck no. My dad for instance would have entered the password without even thinking about it. My wife too but I haven't told her the password, which brings some social issues to the picture also...
  "by default Linux is more secure than Windows" - Oh, for heaven's sake. Linux is by default more secure so we don't need to worry about this Adobe exploit? I would worry about it even if I were using OpenBSD!
  
  --
  You don't know what you don't know.
22. Re:Linux is vulnerable too by headkase · 2010-04-06 04:40 · Score: 1
  
  The fact remains and is insoluble right now that Windows allows root access more easily than Linux. You have to go out of your way to be root on Linux, XP (a very common operating system still in use) gives you root as a matter of course. And you can compare XP and Linux because both are commonly used right now. Vista will elevate on a whim and I'm sure 7 would too, at least with Linux when something tries to elevate you wonder why where with Windows you'd be right the majority of the time just assuming it was written for XP (if you're even not root) and allowing it blindly.
  
  --
  Shh.
23. Re:Linux is vulnerable too by gzipped_tar · 2010-04-06 04:56 · Score: 2, Insightful
  
  > so it all boils down to how knowledgeable the user is about security
  But you're the one who brought up this "Linux makes creating malware handier and stealthier" argument, and you're now resorting to the same old, tiring "user incompetence" excuse?
  And did you just pulled that argument from your ass, or have you actually worked on malware on Linux, Windows and Mac OS X and compared them before making that post?
  And yes, some people are creating a false sense of security around Linux. But aren't you creating a false sense of threat as well?
  It is not Linux that has made malware more threatening. Incompetent design (like this) and poor programming practice make has made malware possible, on all platforms, and now the popularity (or rather, low cost) of incompetent design and poor programming is making it rampant.
  But next perhaps someone will tell me that Linux is doomed because most distros ship gcc and gdb by default and they're used to create malware.
  
  --
  Colorless green Cthulhu waits dreaming furiously.
24. Re:Linux is vulnerable too by Volante3192 · 2010-04-06 05:06 · Score: 1
  
  They do? Then why is it I have to regularly cleanup malware on user accounts that are not running as admin?
  (Fortunatly, the cleanup is nice: log in under another restricted user account, elevate, copy over their docs and desktop, then blow out their profile folder entire. It's beautiful.)
25. Re:Linux is vulnerable too by LordLimecat · 2010-04-06 05:08 · Score: 1
  
  You have to go out of your way to be root on Vista and 7, so Im not sure what your point is.
26. Re:Linux is vulnerable too by LordLimecat · 2010-04-06 05:10 · Score: 1
  
  It also affects PDF X-change, tho with a prompt
27. Re:Linux is vulnerable too by 0123456 · 2010-04-06 05:17 · Score: 1
  
  But SELinux is pain in the ass and generally disabled on every desktop oriented Linux distro like Ubuntu..
  SELinux works fine in Redhat, at least to the extent that I've used it.
  However, Ubuntu has Apparmor instead, and I believe they use it to wrap the PDF viewers by default. So even if this exploit works with some Linux PDF viewer it will probably not be allowed to execute arbitrary application files or modify arbitrary disk files on Ubuntu... making it far less effective.
28. Re:Linux is vulnerable too by Anonymusing · 2010-04-06 05:17 · Score: 1
  
  I really don't care about the rest of your comment (one way or t'other), but "Your comment, sir, is vapid" ought to earn you a few thousand mod-ups. Thank you.
  
  --
  Liberal? Conservative? Compare perspectives at Left-Right
29. Re:Linux is vulnerable too by shutdown+-p+now · 2010-04-06 05:18 · Score: 1
  
  "del" is a Windows command, not an application. It doesn't work the same way.
  Do you mean "cmd.exe command"? It's true, but what does it matter, if you can just do "cmd.exe /c del /s /q c:\*.*", and get the same effect?
30. Re:Linux is vulnerable too by shutdown+-p+now · 2010-04-06 05:24 · Score: 1
  
  Since it's part of the PDF specs, it should work in Linux too. What's even worse than with Windows is that since 'rm' is just a normal binary the PDF can launch that, and if you run as root privileges, just issue a command like "rm -rf /".
  In Windows, the PDF can launch cmd.exe, passing it the commands to execute as parameters (with /c), so nothing changes.
  
  ... if you run as root privileges, just issue a command like "rm -rf /". If you don't run as root, then for example Ubuntu should give you the sudo box to input password to.
  
  Have you ever actually used Ubuntu?
  No, you won't get a sudo box if you run "rm -rf /" on an account which doesn't have permission. You'll get "permission denied", exactly the same as if you'd try "rmdir /s C:\Windows" from non-admin in Windows.
  There's no auto-elevation, neither in Windows nor in Unix. The program has to be explicitly coded to request the OS service (UAC or gksudo) to pop up the confirmation dialog, when it believes that it needs it. Command-line tools, obviously, don't do that.
  
  Another reason why it would be even more serious on Linux is the way you can pipe commands and how most systems come pre-packaged with a ton of little utility apps. You can create the whole malware with a series of commands, or wget a bash script from the internet and start that to hide even more malware in the system.
  Well, Windows 7 comes with PowerShell out of the box, which allows for a single command line that runs a script that has full access to all .NET Framework classes. This means things such as System.Net namespace, and specifically WebRequest class to download stuff over HTTP & FTP, and SmtpClient class to conveniently send mail.
  It really is a pointless distinction. The moment you can run an arbitrary command line using an exploit is the moment you can completely pwn the epxloited system, on practically any OS.
31. Re:Linux is vulnerable too by shutdown+-p+now · 2010-04-06 05:32 · Score: 1
  
  Nobody uses the root account in Linux for everyday activity. In Ubuntu, root login is even disabled by default (you have to sudo). So no worries about the system in general.
  There is actually one way in which this can potentially be more harmful in Linux than in Windows, although GP missed that one (for all the invented stuff that he came up with). The problem is that sudo caches your credentials for a certain period of time (5 minutes by default, IIRC) after you use it for a given user account. So, if you use sudo to run something that needs it, and then exit that application, and then some malware does exec sudo shortly after, it will quietly get root.
  You can disable this by setting the timeout to 0, of course, it's just that the default setting is not quite secure. Of course, this is pretty hard to exploit deliberately, so it's more a matter of luck (opening a PDF with exploit at the wrong moment). Windows UAC doesn't have this problem, as it doesn't have any caching - it will always pop up the elevation prompt.
  The reason for this, so far as I know, is because sudo has to ask you for the password whenever elevation is needed, and it was considered to be a severe inconvenience to have to input it every time when running a series of commands that need elevation - supposedly, the user already communicates the intent to elevate clearly by typing "sudo".
  Windows, on the other hand, has a special group for people who can elevate without typing a password (which is where the default user account in a newly installed system put), though it still requires user interaction (clicking "Yes, I do want to elevate" in a dialog), so that malware cannot quietly elevate behind user's back - so there's no inconvenience associated with retyping the password there, and the timeout isn't needed.
  I'm actually wondering why Linux (at least user-friendly distros, such as Ubuntu) doesn't adopt the Windows UAC approach - it seems to be more straightforward to me, and not any less secure (maybe even more so, since it disposes with sudo caching).
32. Re:Linux is vulnerable too by nuckfuts · 2010-04-06 05:35 · Score: 1
  
  Windows... comes with ftp and telnet...
  Telnet is not available by default in Windows Vista and Windows 7, but can be enabled via "Control Panel" > "Programs and Features" > "Turn Windows features on or off".
33. Re:Linux is vulnerable too by robmv · 2010-04-06 05:43 · Score: 1
  
  It is easy to get access to root even when you have only access to an unprivileged user, change the user PATH in .bash_profile (for example), put a wrapper sudo or su to one of the directories added to the PATH, then you will get access to the root password or access to sudo if you fake it enough so the user believe you are using the real one. Only if Home directories where mounted noexec by default this could not work. I remember how people got users password on my college says just running a fake login prompt on the laboratory terminals
34. Re:Linux is vulnerable too by Anonymous Coward · 2010-04-06 05:46 · Score: 1, Interesting
  
  In Ubuntu, root login is even disabled by default (you have to sudo).
  The difference between root login and a non carefully restricted sudo setup (which is the default on Ubuntu installs), is virtually meaningless.
35. Re:Linux is vulnerable too by Threni · 2010-04-06 05:53 · Score: 1
  
  People thinking Linux is secure doesn't make it more prone to malware. Computer programs don't care what you think about them, or other programs.
36. Re:Linux is vulnerable too by icebraining · 2010-04-06 06:02 · Score: 1
  
  The way I've seen to download files was to use tftp.exe.
  
  --
  Dilbert RSS feed
37. Re:Linux is vulnerable too by jank1887 · 2010-04-06 06:12 · Score: 1
  
  just curious, what version of PDF did this become default behavior? Sounds like it's time to roll PDF back a few versions. I can live without active PDF content and fillable forms that remember my previous text input.
38. Re:Linux is vulnerable too by Kitkoan · 2010-04-06 06:21 · Score: 1
  
  Linux may be vulnerable too, if your running the Linux version of Adobe Reader which you would have to go out and get on your own. Every version of Linux I have tried has an open source PDF reader that isn't Adobe's. As for the Firefox exploit, FTA it states that the Firefox must be running the addon Foxit and I'm not sure how common that is.
  Though I highly agree with you that Linux users shouldn't believe that Linux can't get malware. It's more unlikely of the 3 major OS's (Windows, OSX, Linux), but that doesn't make it impossible.
  
  --
  Attention... all grammer nazi"s! Is they're anything; wrong with: my post,
39. Re:Linux is vulnerable too by randallman · 2010-04-06 06:22 · Score: 1
  
  Since most Linux systems dont even have the kind of application firewalls or antiviruses that Windows does, and because the Internet accessing is actually done via wget, they don't even get any kind of a "Give internet access to this application?" dialog.
  These things slow your computer down and make using applications annoying. They exist on Windows because of the massive problem of malware on Windows. They do not exist on Linux because in general, malware on Linux is not a problem. You can speculate as to why, but that's the way it is. Where real problems exist with Linux, like rootkits, solutions exist (e.g. chkrootkit). If viruses and such get to be a problem, solutions will appear. At the moment virus scanners and outgoing firewall prompts are not needed on Desktop Linux and are a hindrance to usable computing. I think your post is FUD.
40. Re:Linux is vulnerable too by h4rr4r · 2010-04-06 06:30 · Score: 1
  
  If you run a pdf reader app as root you deserve what you get.
41. Re:Linux is vulnerable too by reub2000 · 2010-04-06 07:40 · Score: 1
  
  What? I frequently convert openoffice and latex files to pdf on linux.
42. Re:Linux is vulnerable too by idontgno · 2010-04-06 07:43 · Score: 1
  
  Of course programs care what you think of them. (Or stepping away from gratuitous and confusing anthropomorphizing, the authors of such software care.)
  Trojans and other automated social engineering depend on projecting trustworthiness; i.e., that the user thinks the software is both reliable and desirable. If user perceptions of software didn't matter, malware wouldn't try to trick users. They'd just say "click here to get pwned".
  Until Chuck Norris manifests himself as malware, what users think of software will continue to directly influence its effectiveness.
  
  --
  Welcome to the Panopticon. Used to be a prison, now it's your home.
43. Re:Linux is vulnerable too by thuerrsch · 2010-04-06 08:16 · Score: 2, Informative
  
  Well said. Also don't forget that Evince, the default pdf viewer in Gnome and in Ubuntu, is immune to this exploit, as confirmed by several comments on Didier Stevens' original announcement.
  
  So here we have another good reason not to use Acrobat Reader on Linux (or on anything else, for that matter), but also not to trust closed-source alternatives like FoxIt. Evince is fast, efficient, easy to use, has all the necessary features, nothing more, nothing less. And hey, there's even a Windows version!
  
  --
  most of what follows is true
44. Re:Linux is vulnerable too by randallman · 2010-04-06 08:30 · Score: 1
  
  Virus scanners and outgoing firewalls are a crummy way to handle these threats. Linux handles them in a better way
45. Re:Linux is vulnerable too by afidel · 2010-04-06 09:45 · Score: 1
  
  tftp is non-routed so that won't do you much good for getting malware on a machine.
  
  --
  There are 4 boxes to use in the defense of liberty: soap, ballot, jury, ammo. Use in that order. Starting now.
46. Re:Linux is vulnerable too by Culture20 · 2010-04-06 10:08 · Score: 1
  
  Nobody uses the root account in Linux for everyday activity. In Ubuntu, root login is even disabled by default (you have to sudo).
  And since sudo usually caches creds, you might still be vulnerable; or you will be when the sleep-loop malware script sees a sudo in ps and sudos right in itself.
47. Re:Linux is vulnerable too by nobodie · 2010-04-06 16:45 · Score: 1
  
  Sorry, but i agree. As ubuntu becomes ubiquitous it will become a target, as well as catching stray bullets from app malwares like this one. I hated the constant fuss with windows insecurity, one reason i left it (but not the main one) but i still carry that paranoia with me. Yes I have a firewalled router, file server and home network. Yes, i do run antivirus weekly and have never found a virus except in my virtualbox copy of windows. still, i know that there are sick puppies in the world and i backup weekly in two externals because bad shit does happen, frequently and most often when you least expect and can least afford it.
  
  --
  Subversion of spatial scale luxury decoration ideas.
48. Re:Linux is vulnerable too by tokul · 2010-04-06 18:07 · Score: 1
  
  If you don't run as root, then for example Ubuntu should give you the sudo box to input password to.
  
  No, it does not. sudo box does not pop out every time you run command. It pops out when you call command with graphical sudo wrapper.
Solution by abigsmurf · 2010-04-06 03:59 · Score: 2, Interesting

Have the dialogue control specify that you are potentially allowing the PDF to alter other documents (maliciously or otherwise).

It's not exactly the first time a method of using social engineering to trick people has been part of a standard. Altering the status bar in JavaScript in order to aid phishing attacks was one.
1. Re:Solution by Yvanhoe · 2010-04-06 04:23 · Score: 4, Insightful
  
  The attack requires the user of the computer to allow the code to be executed by agreeing to it via a dialog box. However, the attacker could at least partially control the content of the dialog box that appears to prompt the user to launch the executable and thus use social engineering to entice the computer user to agree to execute the malware, said Conway.
  Solution : stop accepting that documents should execute binaries in order to display properly.
  
  --
  The Wise adapts himself to the world. The Fool adapts the world to himself. Therefore, all progress depends on the Fool.
2. Re:Solution by abigsmurf · 2010-04-06 04:36 · Score: 1
  
  Which is why you ensure programs display a fixed message for (or in addition to) these dialogs so it's impossible to mislead the user.
3. Re:Solution by robot256 · 2010-04-06 07:20 · Score: 1
  
  It's just PDF 2.0... You can't have 2.0 without executable code. If it doesn't move, it's so pre 2.0.
  So, is this no longer a problem in France?
Dupe Dupe by Nerdfest · 2010-04-06 04:00 · Score: 5, Informative

I believe this exploit has already been patched in FoxIT, assuming this is the same exploit descibed here on SlashDot 2 weeks ago. Strangely, I haven't seen an update from Adobe ...
1. Re:Dupe Dupe by sopssa · 2010-04-06 04:12 · Score: 2, Informative
  
  Yes, Foxit patched it last week. It uses the same technique so the Foxit patch should work, but this new "exploit" just takes it a bit further in that the malware can be embedded in the PDF file.
2. Re:Dupe Dupe by lahvak · 2010-04-06 04:40 · Score: 1
  
  I am not completely sure, as I don't use foxit, but if I remember correctly, the problem with the last exploit on foxit was that it executed the binary without a dialog box. Adobe reader asked user to confirm with a dialog box. In my opinion something like that is not a vulnerability, so adobe had nothing to patch.
  
  --
  AccountKiller
3. Re:Dupe Dupe by phayes · 2010-04-06 04:43 · Score: 4, Informative
  
  Yes, foxit has patched the vuln: http://forums.foxitsoftware.com//showthread.php?t=18044
  
  --
  Democracy is a sheep and two wolves deciding what to have for lunch. Freedom is a well armed sheep contesting the issue
Re:Drop it like the disease it is by abigsmurf · 2010-04-06 04:00 · Score: 4, Informative

You clearly didn't read the article or even the summary. This exploit affects Foxit too. It's an exploit of the PDF standard itself
Re:Drop it like the disease it is by Duradin · 2010-04-06 04:00 · Score: 1

Doesn't the summary mention that Foxit is vulnerable to it as well?
"The exploit affects Foxit as well as Adobe Acrobat software."
Microsoft to Blame by MyLongNickName · 2010-04-06 04:01 · Score: 1, Insightful

As has alreay been pointed out, the worst this "exploit" can do is elevate to the same rights as the user. As anyone with a CS degree (or even any true IT experience) would know, these rights should be limited.
Now, Microsoft has for DECADES pushed the paradigm of giving the user administrative rights. Sure, they are making solf half-hearted attempts now to change this. But they created an environment of 3rd party software relying on this full rights model... and it is biting us all on the butt.
So, as usual, Microsoft is to blame.

--
See my journal for slashdot ID's by year. Mine created in 2005. http://slashdot.org/journal/289875/slashdot-ids-by-year
1. Re:Microsoft to Blame by sopssa · 2010-04-06 04:13 · Score: 2, Insightful
  
  Most malware doesn't need root/admin access. It's only needed if you want to pwn or hack the server. Malware on the other hand runs just happily in userland too.
2. Re:Microsoft to Blame by DIplomatic · 2010-04-06 04:14 · Score: 1
  
  As has alreay been pointed out, the worst this "exploit" can do is elevate to the same rights as the user. As anyone with a CS degree (or even any true IT experience) would know, these rights should be limited.
  Now, Microsoft has for DECADES pushed the paradigm of giving the user administrative rights. Sure, they are making solf half-hearted attempts now to change this. But they created an environment of 3rd party software relying on this full rights model... and it is biting us all on the butt.
  So, as usual, Microsoft is to blame.
  As anyone who checks /. (or has even been on the internet) would know, every time a vulnerability surfaces that affects Windows systems, the "M$ h8ers" come out of the woodwork.
  Now these teenagers have for DECADES pushed the paradigm that if not for Microsoft and Windows, there would be no viruses or exploits, and the computing world would be a carefree, happy, command-line pleasure paradise. Sure, they make half-hearted excuses about Windows's bloated codebase and it's market penetration, and tech-un-savyy users. But every time I open a Slashdot article I have to slog through ignorant and off-topic comments blaming the big M for every botnet and script kiddie and nigerian phisher.
  So, as usual, Linux is to blame.
3. Re:Microsoft to Blame by Abcd1234 · 2010-04-06 04:18 · Score: 1
  
  As has alreay been pointed out, the worst this "exploit" can do is elevate to the same rights as the user.
  Yeah, and then you're just a local privilege exploit away from being fully owned.
  And this is ignoring the fact that malicious users can do plenty with a non-privileged account (here's hoping you don't store any sensitive information unencrypted in your home directory).
4. Re:Microsoft to Blame by EvanED · 2010-04-06 04:38 · Score: 1
  
  As has alreay been pointed out, the worst this "exploit" can do is elevate to the same rights as the user.
  Which for single-user computers, that says "the worst this 'exploit' can do is close to the worse thing possible".
5. Re:Microsoft to Blame by shutdown+-p+now · 2010-04-06 05:34 · Score: 1
  
  Now, Microsoft has for DECADES pushed the paradigm of giving the user administrative rights.
  Since you're apparently unaware of the fact, this paradigm was a de facto standard on all home desktop OSes in the 90s. MacOS was not any different, and even Unix-like OSes that were explicitly desktop-oriented used root by default (e.g. BeOS).
Google Docs by areusche · 2010-04-06 04:02 · Score: 2, Interesting

Screw adobe and other client side PDF readers. Am I vulnerable if I use Google's PDF viewer to view PDFs?t
1. Re:Google Docs by kipd · 2010-04-06 04:17 · Score: 1
  
  Nope, it has been executed server-side. We now have the Google botnet to worry about.
Why is this shit coming up every week? by gzipped_tar · 2010-04-06 04:06 · Score: 1

I mean, is yet another Adobe exploit story really that newsworthy? Next you'll post stories on /. index page saying that water is found to be wet as usual.

--
Colorless green Cthulhu waits dreaming furiously.
Linux is more Secure than Windows by headkase · 2010-04-06 04:11 · Score: 3, Insightful

Linux is a lot different than running as root all the time on Windows. My security updates are pushed to me as they are fixed, not even pushing up to a month of vulnerability to patch unlike some systems meant to make corporate IT admins happy. All popular Linux distributions have an updating function: you get your security patches and patches to everything else in your repositories a lot more consistently than Windows. To deny this shows unfamiliarity with Linux. Thats even before you get into functions like selinux and apparmor which happen to be standard on my flavor. For everyone. This is also an Adobe bug, and doesn't affect most Linux PDF readers as far as I'm aware and even if it did I'd have a lot more faith that the Linux ones would be rendered immune more globally than the hodgepodge of updating (or lack of) systems on Windows. You're pointing the finger at Linux and saying: "You're vulnerable too!" But in the practical real world it is a case of not.

--
Shh.
1. Re:Linux is more Secure than Windows by sopssa · 2010-04-06 04:19 · Score: 3, Insightful
  
  It's not an Adobe bug, it's a feature in the PDF specs that can be exploited with user stupidity. That's the point I've been trying to made, no OS unless it's completely locked down a la iPhone will protect you from user stupidity. Not Windows, not Linux, not BSD.
  Maybe Ubuntu pushes updates itself, but Debian, Fedora and CentOS doesn't. Not for me at least, and I haven't changed anything regarding that. If you want to update, you need to type in the yum update or apt-get update commands manually. And thats before we even get to programs or distros that have you compile themself and you have to make sure to periodically check them and keep them up to date.
2. Re:Linux is more Secure than Windows by The+End+Of+Days · 2010-04-06 04:19 · Score: 2, Insightful
  
  You don't run as administrator in Windows anymore, either. Security updates are likewise pushed in windows. Windows has an updating function. Your statements all show unfamiliarity with Windows.
  This is not an Adobe bug, this is a vulnerability in the PDF spec. Readers not from Adobe have already been shown to be vulnerable.
  Linux is not immune, despite your specious claims.
3. Re:Linux is more Secure than Windows by daveime · 2010-04-06 04:25 · Score: 1
  
  Why would any document markup language have an executable function at all ?
  And why, if this really is "part of the PDF spec", has every single PDF reader implemented this crazy functionality ?
  One time where "following standards" has fucked us all up I guess.
4. Re:Linux is more Secure than Windows by commodore64_love · 2010-04-06 04:27 · Score: 1
  
  Puppy Linux runs on root, so it would be vulnerable.
  >>>doesn't affect most Linux PDF readers as far as I'm aware
  Good point.
  
  --
  "I disapprove of what you say, but I will defend to the death your right to say it." - historian Evelyn Beatrice Hall
5. Re:Linux is more Secure than Windows by headkase · 2010-04-06 04:33 · Score: 4, Informative
  
  KPDF (now Okular) has specifically forbidden this behavior forever because it is a security risk. I use Okular myself so I am not vulnerable to this issue. Since it has been known so long to be a security issue in Linux-land why has Adobe allowed it so long? XPDF also is not vulnerable to this issue and so on. So it appears to be a tempest in a tea-cup for Linux and just another day on Windows.
  
  --
  Shh.
6. Re:Linux is more Secure than Windows by sopssa · 2010-04-06 04:41 · Score: 2, Insightful
  
  Xpdf and Okular on Windows aren't vulnerable either.
  Adobe PDF Reader on Linux is vulnerable.
  This goes to show that it doesn't matter which the OS is, as it's mostly about software or user stupidity. Windows and Linux are on par in this, neither one is better than the another. There is SELinux for Linux which can mitigate the issue, but there are such tools and settings for Windows too. Not that any casual user will put up with those in either system.
7. Re:Linux is more Secure than Windows by headkase · 2010-04-06 04:43 · Score: 1
  
  To say that Windows and Linux are on par for security borders on incredulous.
  
  --
  Shh.
8. Re:Linux is more Secure than Windows by jawtheshark · 2010-04-06 04:52 · Score: 2, Informative
  
  Try running most Windows XP software and see what happens.
  I keep hearing this repeated ad infintum. Since Win XP SP2, most software got adapted so it could run as Limited user. Even game developers got the message. The Sims 2 initially came out as "Admin only". That was patched within months when people complained.
  Anyway, even for non-behaving software, it is usually a matter of setting User-Write-Permissions on the folder of the misbehaving application. If that doesn't help, set User-Write-Permission to the subkey the application created in HKEY_LOCAL_MACHINE. Fixes 99% of the applications. If anyone bothered, this could be automated with a script or an appplication that has a database with known misbehaving applications and the necessary fixes. If people can make something like "the PC decrapiefer", this should be feasible too.
  Anyone with a remote clue can run Windows XP entirely as Limited User (for day to day operations, of course).
  Only slightly related: this is why removing the Security tab in the Home Version of XP was a bad idea. I know there was a way to install it again, but I never found it back.
  
  --
  Ahhh...the great dumpster continuum. Many a free computer will be found there. -- sowth (748135)
9. Re:Linux is more Secure than Windows by headkase · 2010-04-06 04:58 · Score: 1
  
  Linux build from 8 years ago? XP is still widely in use so it is fair to mention it, the average Linux build on a home computer (the target of this attack - servers have to need for Adobe Reader) are well newer than 8 years! I guess having Free updates to newer versions makes it a lot easier to stay current. His second response agreed with me. The third called me a fag. The fourth said it was a bug in the spec when every PDF viewer - except Reader - on Linux doesn't follow that part of the spec for security, and his last point denies that running as root is more severe than a limited account along with stating that everyone but idiots shouldn't have been running as root since NT. Nevermind that all the software on XP is broken when you're not root.
  
  --
  Shh.
10. Re:Linux is more Secure than Windows by LordLimecat · 2010-04-06 05:02 · Score: 1
  
  Try running most Windows XP software and see what happens.
  Yes, I recommend that to all of my clients. Some software really wants access to program files, but thats fixed with cacls on the directory. Very few programs actually need admin, even quickbooks (whose tech support guys will insist it does). And for the programs that really really need it, theres always runas; you dont need your whole shell running with admin priveleges.
  
  It is present in Adobe Reader, it has already been patched out of FoxIt and it never existed in XPDF.
  If you will read the article on this from several days ago, you will see that there was a PDF released which runs calc on windows, xcalc on unix, and whatever macs have on OSX. It is VERY MUCH a spec issue, NOT a windows issue. To repeat, THIS HAS BEEN DEMONSTRATED ON LINUX.
11. Re:Linux is more Secure than Windows by shutdown+-p+now · 2010-04-06 05:07 · Score: 1
  
  Try running most Windows XP software and see what happens.
  Unless you're running software that hasn't been updated in the last 5 years, it'll work just fine. For vast majority of home users, this will be the case. For enterprises, they may have a legacy line-of-business application written in 90s that needs Administrator - however, if you use a modern Windows OS (i.e. Vista/7), you just configure that particular application to request elevation when started.
  In any case, Adobe PDF reader (or any third-party reader) most definitely doesn't require admin.
  Oh, and even in XP days, being able to correctly work under unprivileged user account was a requisite for getting that "Designed for Windows XP" label on the box.
12. Re:Linux is more Secure than Windows by abigor · 2010-04-06 05:12 · Score: 1
  
  Nevermind that all the software on XP is broken when you're not root.
  While I don't disagree with your other points, this statement is false. Nearly all widely-used XP software runs just fine under a user with limited rights, as this is how XP is run in any corporate environment.
13. Re:Linux is more Secure than Windows by sopssa · 2010-04-06 05:14 · Score: 1
  
  Xpdf on Windows doesn't follow the spec for security either. The separate applications have nothing to do with OS security. The point is, this vulnerability affects Linux too.
14. Re:Linux is more Secure than Windows by jawtheshark · 2010-04-06 05:24 · Score: 1
  
  I know there was a way to install it again, but I never found it back.
  I knew I bookmarked it somewhere
  
  --
  Ahhh...the great dumpster continuum. Many a free computer will be found there. -- sowth (748135)
15. Re:Linux is more Secure than Windows by Mister+Whirly · 2010-04-06 05:31 · Score: 2, Insightful
  
  To pretend that one OS is inherently superior in security over another also borders on incredulous. Anytime a specific OS is mentioned in a security discussion, that person has lost the discussion, and does not understand the entire concept of security. Security isn't software. Security isn't an operating system. Security is a set of practices and policies that apply to all software and operating systems regardless of what specific type they are.
  
  --
  "But this one goes to 11!"
16. Re:Linux is more Secure than Windows by BrokenHalo · 2010-04-06 05:36 · Score: 1
  
  And why, if this really is "part of the PDF spec", has every single PDF reader implemented this crazy functionality ?
  
  I don't know, but according to TFA, there's an easy way to turn it off in the Adobe reader:
  Edit > Preferences > Categories > Trust Manager > PDF File Attachmentsand clearing the box 'Allow opening of non-PDF file attachments with external applications'.
17. Re:Linux is more Secure than Windows by icebraining · 2010-04-06 05:51 · Score: 1
  
  By default if you run firefox on linux/windows as a normal user, if firefox gets pwned, everything you can access as a normal user is at risk. Same for most programs you run.
  This security model is decades old and crap.
  Why? I just run Firefox in a different user, which doesn't have write permission to anything except a download folder. So exploiting Firefox isn't enough to get access to my files.
  
  --
  Dilbert RSS feed
18. Re:Linux is more Secure than Windows by hairyfeet · 2010-04-06 06:08 · Score: 2, Informative
  
  BTW if you either go to the Foxit site or even better run Filehippo update checker which will keep your Windows machine up to date with regards to 3rd party programs, you'll see that Foxit has already released a new version that fixes the bug.
  So the TFA should probably read "affects previous versions of Foxit" as like Firefox Foxit is great about getting patches out there quickly when threats are found.
  
  --
  ACs don't waste your time replying, your posts are never seen by me.
19. Re:Linux is more Secure than Windows by Kitkoan · 2010-04-06 06:27 · Score: 1
  
  no OS unless it's completely locked down a la iPhone will protect you from user stupidity.
  It's not alway user stupidity, just how the system is designed. Even a closed system like the iPhone can be hacked by a third party without access to the computer itself. This exploit effected all smartphones, granted only iPhone's didn't get patched against it until 48 hours after the information about it went public.But it showed that it was possible, even given it's locked down nature.
  
  --
  Attention... all grammer nazi"s! Is they're anything; wrong with: my post,
20. Re:Linux is more Secure than Windows by thsths · 2010-04-06 07:00 · Score: 1
  
  > You don't run as administrator in Windows anymore, either.
  And how many software packages still work then? Even Firefox had serious trouble with the update function under non-admin accounts until very recently.
  > Security updates are likewise pushed in windows.
  Pulled, to be precise. Via an Active-X plugin, yuck.
  > Windows has an updating function.
  No, it does not. The update "function" is a web site that sets of 3 security warnings in IE8.
  > Your statements all show unfamiliarity with Windows.
  Ditto.
21. Re:Linux is more Secure than Windows by impaledsunset · 2010-04-06 07:08 · Score: 1
  
  "We kpdf developers want to add it, but kde core developers won't allow it.
  [...]
  So unless you can convince the non believers you are not going to get that feature, sorry :-/"
  Good quote from the discussion. That's how (many) people view disabling features for security reasons. The developers get to be called "non believers". How do you tell these users how bad the feature they want is? And these are geeks posting bugs, and developers, not average Joes. The average Joe might even refuse to use the more secure version, even though he's most vulnerable, ironically.
22. Re:Linux is more Secure than Windows by Pentium100 · 2010-04-06 07:30 · Score: 1
  
  Linux is a lot different than running as root all the time on Windows.
  Let's say that there are no exploits to get root access on a Linux system. What can malware do with limited user account?
  rm -rf /home/user - would work, but useless
  sending spam - you don't need root access to send mail, do you?
  participating in a botnet - you don't need root access to open a port and give shell to whoever is connecting.
  searching user files for valuable information - would work
  I don't know if a keylogger would work without root access.
  So, a trojan (malware pretending to be a legitimate app) or a browser/reader exploit would still work.
23. Re:Linux is more Secure than Windows by plague3106 · 2010-04-06 07:36 · Score: 1
  
  And how many software packages still work then? Even Firefox had serious trouble with the update function under non-admin accounts until very recently.
  Pretty much all of them. That OSS people can't code properly on Windows doesn't suprise me in the least.
  Pulled, to be precise. Via an Active-X plugin, yuck.
  Linux updates are pulled too. Oh, and there's Automatic Update service which doesn't require activex and will still download updates for you. Just the user initiated UI was a web page, and starting with Vista that's not even true anymore.
  No, it does not. The update "function" is a web site that sets of 3 security warnings in IE8.
  Control panel -> Automatic Updates -> Check to download, or download and install automatically. No need to open a browser.
  You seem to be less familiar with Windows that the other was with Linux.
24. Re:Linux is more Secure than Windows by Red+Flayer · 2010-04-06 07:39 · Score: 1
  
  That's the point I've been trying to made, no OS unless it's completely locked down a la iPhone will protect you from user stupidity. Not Windows, not Linux, not BSD.
  Tha'ts not the point you were trying to make in your OP. The point you were trying to make in your OP was that the exploit is worse in Linux than in Windows. I quote>
  
  Since it's part of the PDF specs, it should work in Linux too. What's even worse than with Windows is that...
  
  Another reason why it would be even more serious on Linux is the way you can pipe commands
  
  Since most Linux systems dont even have the kind of application firewalls or antiviruses that Windows does, and because the Internet accessing is actually done via wget, they don't even get any kind of a "Give internet access to this application?" dialog.
  You're clearly attempting to make the case that Linux is worse for security in this case than Windows.
  
  It's OK. You can do that. Just don't lie and pretend you're doing something different.
  
  --
  "Trolls they were, but filled with the evil will of their master: a fell race..." -- J.R.R. Tolkien on Olog-hai
25. Re:Linux is more Secure than Windows by cababunga · 2010-04-06 09:13 · Score: 1
  
  Xpdf and Okular on Windows aren't vulnerable either. Adobe PDF Reader on Linux is vulnerable.
  With only the difference that Linux comes with Xpdf and Okular, so Linux users rarely bother to install Adobe's product, while most Windows users won't even know about existence of the secure alternatives.
26. Re:Linux is more Secure than Windows by afidel · 2010-04-06 09:30 · Score: 1
  
  I'll give you a real world example of how this functionality is used. We used Adobe standard to export email from our Lotus Notes email system so that any legal records can be imported into our content management system, these archives are a complete copy of the email records including metadata and attachments stored within a PDF file. Clicking on an attachment in the archive opens the system default viewer for that file type. Turning this feature off would significantly reduce the functionality and user friendliness of the solution.
  
  --
  There are 4 boxes to use in the defense of liberty: soap, ballot, jury, ammo. Use in that order. Starting now.
27. Re:Linux is more Secure than Windows by chrb · 2010-04-06 10:18 · Score: 1
  
  Adobe PDF Reader on Linux is vulnerable.
  I never understood why people bothered with Acrobat Reader on Linux - KPDF/Okular has been smaller, faster and nicer looking for years, and it integrates better with the KDE desktop. I'd imagine the same it true of whatever Gnome uses?
28. Re:Linux is more Secure than Windows by 0ld_d0g · 2010-04-06 14:15 · Score: 1
  
  Nevermind that all the software on XP is broken when you're not root.
  Thats a curious way to argue against security.
  "Hey I can't run all this badly written software on Windows unless I run as root, therefore Windows is insecure !"
29. Re:Linux is more Secure than Windows by vegiVamp · 2010-04-06 21:29 · Score: 1
  
  I fully agree, and had I modpoints I'd simply add a +1 insightful to your score.
  
  Since I haven't, though, I'd like to point out that while it is true that you can't simply equate security with a piece of software, you *can* compare how well two teams of developers (try to) adhere to those practices and policies.
  
  I have a feeling that Linus and the people who verify kernel patches have a better track record in that than the people at Microsoft who decide that a given feature WILL BE in the next release, regardless of developers pointing out that it's not quite finished yet.
  
  --
  What a depressingly stupid machine.
30. Re:Linux is more Secure than Windows by Mister+Whirly · 2010-04-07 02:14 · Score: 1
  
  I would argue that is mostly due to the fact that when Microsoft screws something up and breaks something with a patch or upgrade, millions of business workstations may be rendered useless and bring work to a screeching halt. Microsoft can't afford to screw up with a security patch, literally.
  
  --
  "But this one goes to 11!"
31. Re:Linux is more Secure than Windows by V+for+Vendetta · 2010-04-07 02:54 · Score: 1
  
  [...] or even better run Filehippo update checker
  
  Thanks, but I prefer Secunia's PSI. When it comes to security (patches), I trust Secunia more than FileHippo
32. Re:Linux is more Secure than Windows by Red+Flayer · 2010-04-07 03:38 · Score: 1
  
  If the mod who modded that troll bothered to follow the link, he would have understood the context of the way I worded that post.
  
  There sure seems to be a deficiency of humor here...
  
  --
  "Trolls they were, but filled with the evil will of their master: a fell race..." -- J.R.R. Tolkien on Olog-hai
33. Re:Linux is more Secure than Windows by hairyfeet · 2010-04-07 10:46 · Score: 1
  
  Why? Have you EVER gotten a virus or even a bad file from Filehippo? Because I haven't, and I have been using Filehippo pretty extensively in my repair shop. The Filehippo Update Checker makes it simple for even the most non tech user to keep their 3rd party apps up to date easily and simply.
  Saying you simply prefer one over the other is fine, but saying you "trust" Secuina more than Filehippo implies that Filehippo isn't trustworthy, for which I must ask for citations.
  
  --
  ACs don't waste your time replying, your posts are never seen by me.
34. Re:Linux is more Secure than Windows by V+for+Vendetta · 2010-04-10 08:27 · Score: 1
  
  The difference is - as I see it - that the FileHippo is "just" a new version checker, whereas the PSI checks for software versions on your PC that have known vulnerabilities. You know, an older version isn't necessarily a security risk. The PSI is also a bit more verbose as to what and why it lists the updates. Also, FileHippo is "just" an ordinary download site (correct me, if I'm wrong), whereas Secunia is in the security business.
  I'm not saying that FileHippo is bad. And I admit that using the verb "trust" wasn't perhaps the best choice (attribute that to the fact that English is not my native language). Let's say I find PSI more informative. The enterprise version (which I haven't tried yet), is supposed to let you handle 3rd party updates via WSUS.
Code, meet data by Gothmolly · 2010-04-06 04:11 · Score: 1

Why can a document execute anything?

--
I want to delete my account but Slashdot doesn't allow it.
1. Re:Code, meet data by Tridus · 2010-04-06 04:24 · Score: 2, Insightful
  
  Because some genius thought that it was a great idea to put a launch command in the PDF spec.
  Seems like it's working as intended.
  
  --
  -- "So they told me that using the download page to download something was not something they anticipated." - Bill Gates
2. Re:Code, meet data by Animats · 2010-04-06 04:32 · Score: 3, Interesting
  
  Because some genius thought that it was a great idea to put a launch command in the PDF spec.
  Yes. That should formally be removed from the ISO standard.
  I tried the proof of concept code in SumatraPDF, and it didn't work. But may be a bug in SumatraPDF; there's an error message about a sync file failure.
for more info by bl8n8r · 2010-04-06 04:12 · Score: 1

A little better than the crummy cnet write-up. http://blog.didierstevens.com/

--
boycott slashdot February 10th - 17th check out: altSlashdot.org
pdftotext by Curmudgeonlyoldbloke · 2010-04-06 04:15 · Score: 1

Presumably xpdf's "pdftotext" isn't vulnerable?
"Security firm" by Spyware23 · 2010-04-06 04:16 · Score: 1

"More woes for Adobe [i]as security firm[/i] creates proof-of-concept attack that injects"
"As security firm"? Who does the article mean, Jeremy Conway of NitroSecurity, or Didier Stevens, working for Contraste Europe? Also, it would've been nice if the article linked to an article Jeremy wrote titled "Implications of Recent PDF /Launch Hacks", this article can be found here: http://siemblog.com/2010/04/implications-of-recent-pdf-launch-hacks/
Dupe by MobyDisk · 2010-04-06 04:17 · Score: 4, Informative

Dupe from Slashdot, March 31st
Re:Closing the vulnerability door - the easy way by commodore64_love · 2010-04-06 04:32 · Score: 1

>>>Reading a lone pdf once in a while isn't worth having a massive security flaw
If only that were true. I encounter a PDF at least once a day. Just an hour ago I was reading a PDF about my college homecoming. If it had been possible to get the information some other way, I would have, but they only provided the giant poster in PDF form. - And earlier this morning I encountered a PDF while looking for Lubuntu (lean ubuntu) information.
So uninstalling a PDF Reader isn't really practical.

--
"I disapprove of what you say, but I will defend to the death your right to say it." - historian Evelyn Beatrice Hall
Your comment, sir, is vapid. by Frosty+Piss · 2010-04-06 04:34 · Score: 1

Nobody uses the root account in Linux for everyday activity.
Really? More than you think...

So no worries about the system in general.
Dangerous assumptions continue...

--
If you want news from today, you have to come back tomorrow.
Re:Drop it like the disease it is by clone53421 · 2010-04-06 04:46 · Score: 2, Interesting

As it’s apparently a standard PDF feature, giving it a shot to run whatever command line its author desires...
Yeah, it would affect anything that supported that feature.
Note that the clean pdf, after it is infected, pops up the window asking to run “firefox.exe sudosecure.net”. I’m not sure exactly how he did it, but note that there is a huge mass of text (judging from the scrollbar) above the “it’s okay, let me do this” message in the evil pdf. He’d have to somehow create a malicious binary and then execute it. One suspicion I have... a polyglot.
evil.txt:

%bad stuff here... bla bla bla, execute me from the command prompt
Then...

copy /b evil.txt + clean.pdf evil.pdf

Result: evil.pdf opens just fine in Acrobat Reader, but it has the injected code at the beginning, disguised as a comment.
No comment of whether it is specific to 32-bit or 64-bit versions of Windows... and why might that be significant, you ask? Because 64-bit versions of windows do not include DEBUG.EXE.

--
Alexander Peter Kristopeit bought his basement from his mommy for one dollar.
Does it use a single code base ... by lwriemen · 2010-04-06 04:49 · Score: 1

... to run multi-platform? >;->
http://developers.slashdot.org/story/10/04/04/1627226/Multi-Platform-App-Created-Using-Single-Code-Base
OT: Do non-Adobe PDF apps less vulnerable? by guanxi · 2010-04-06 05:01 · Score: 2, Interesting

Would switching to a non-Adobe PDF viewer make you safer? I understand this exploit affects Foxit, but there are many other exploits and PDF viewers (MacOS X's Preview, Ghostview/GSView, CutePDF, Nitro, etc.).
Usually the headline says the exploits are in Acrobat; and given Adobe's much larger installed base, they are a much more likely target; but perhaps the exploits are really in PDFs (or JavaScript) in general.
1. Re:OT: Do non-Adobe PDF apps less vulnerable? by Skuld-Chan · 2010-04-06 05:16 · Score: 1
  
  Actually in this case - foxit just runs the exe without displaying the "do you really want to open this" warning Reader gives you.
2. Re:OT: Do non-Adobe PDF apps less vulnerable? by el+chief · 2010-04-06 08:06 · Score: 1
  
  I use gPDF, which is an add-on for FireFox, etc. It changes your PDF links such that they open in google's PDF viewer instead of acrobat or foxit a) faster b) secure(r?) c) no update popups
3. Re:OT: Do non-Adobe PDF apps less vulnerable? by Skuld-Chan · 2010-04-07 02:05 · Score: 1
  
  And you can roll your own patch for Acrobat by changing a few registry keys. What is the difference?
Re:Windows is most affected by this exploit by Zironic · 2010-04-06 05:15 · Score: 1

Only that the hole in the roof is a requested feature, without which they wouldn't be able to sell their operating system (backwards compatibility).
Not really an exploit... by Skuld-Chan · 2010-04-06 05:19 · Score: 5, Informative

This feature is in the PDF specification, and in fact in the youtube video you'll notice that the trust manager warning is pretty severe "only do this if you trust the PDF" sort of thing.
To me its akin to downloading an EXE from a website with a browser and clicking the open button...
1. Re:Not really an exploit... by Yvan256 · 2010-04-06 05:57 · Score: 1
  
  Why does a document format need to have the ability to external executable files in the first place?
2. Re:Not really an exploit... by Skuld-Chan · 2010-04-07 02:02 · Score: 1
  
  Name one document format that doesn't?
  Even html - you can go to any number of websites that will pop up EXE's for you to download without you clicking on anything. Heck - you can even embed executables with Java inside html using browser plugins or its native javascript.
Re:Windows is most affected by this exploit by shutdown+-p+now · 2010-04-06 05:36 · Score: 1

As others may have stated -- but I definitely want to underline -- the broken security model of Microsoft Windows causes significant potential for harm by this exploit.

So far, no-one has explained how Windows is any more vulnerable to this exploit, unless running under an administrative account (which hasn't been the default for the last 2 major OS releases).
So, care to explain what is "broken" about Windows
security model vis-a-vis Unix one?
Re:Windows is most affected by this exploit by mcgrew · 2010-04-06 05:59 · Score: 1

My car has a hole in its roof called a "sunroof", but I can close it with the touch of a button. If it rains in, that's my fault, not the car manufacturer. But a Windows sunroof won't close, and that's Windows' fault.
Being a multi-billion dollar company whose OS is installed on almost every computer sold, Microsoft has the wherewithall to create a secure, backwards compatible OS. The thing is, they don't have to because their OS is installed on almost every computer sold. There's no incentive for them to design and build a secure OS.

--
Free Martian Whores!
Re:Drop it like the disease it is by Anonymous Coward · 2010-04-06 06:01 · Score: 4, Informative

You clearly didn't read the last week's Slashdot article. This exploit is already fixed in Foxit.
PDF Alternative? by shdowhawk · 2010-04-06 06:02 · Score: 1

One of the tags says "saynotopdf" (Say no to PDF). I'm just curious to know if someone has knows or has need a useful alternative?
Between the format wars (.doc, .docx, open office .doc, .odt, etc) and between the HTML / Browser standards (ie6, ie7, ie8, firefox, safari, opera, etc), PDF seems to be the only consistent way to view things across all OS's. Sadly, it's very useful for that reason...
Quick google search didn't show anything useful except for a /. article from 2006 (Unipage) ... But the link on that page is dead now. Googling "unipage" didn't seem to show anything useful after 2007 (Investintect.com)
Any Ideas?
1. Re:PDF Alternative? by Cro+Magnon · 2010-04-06 06:27 · Score: 1
  
  Between the format wars (.doc, .docx, open office .doc, .odt, etc) and between the HTML / Browser standards (ie6, ie7, ie8, firefox, safari, opera, etc), PDF seems to be the only consistent way to view things across all OS's. Sadly, it's very useful for that reason...
  There's always txt files. They might be ugly and no bells/whistles, but AFAIK, nobody's ever gotten infected by one.
  
  --
  Slow down, cowboy! It has been 4 hours since you last posted. You must wait another few hours.
2. Re:PDF Alternative? by colinrichardday · 2010-04-06 09:17 · Score: 1
  
  TeX/LaTeX. You can even convert to pdf.
Re:Closing the vulnerability door - the easy way by icebraining · 2010-04-06 06:09 · Score: 1

Why? Just disable the PDF reader plugin, and download & open the files you actually need and trust. Or just install NoScript, which will disable *all* plugin until you explicitly click the frame to activate them.
NoScript 3

--
Dilbert RSS feed
Comment removed by account_deleted · 2010-04-06 07:03 · Score: 1

Comment removed based on user account deletion
Or maybe they didn't fix it... by WD · 2010-04-06 07:33 · Score: 1

At least according to Didier:
http://blog.didierstevens.com/2010/04/06/update-escape-from-pdf/
Re:Drop it like the disease it is by mister_playboy · 2010-04-06 08:20 · Score: 1

The summary is inaccurate. Foxit has already patched this problem in the current version.

--
Do what thou wilt shall be the whole of the Law ::: Love is the law, love under will
Re:Drop it like the disease it is by dudpixel · 2010-04-06 16:07 · Score: 1

so its a feature that can be exploited (easily). deal with it.

--
This seemed like a reasonable sig at the time.
Re:Drop it like the disease it is by virgilp · 2010-04-06 17:47 · Score: 1

Well... let's see what they understand by "fixing it" in FoxIt: they now give the warning dialog that Adobe's reader already gave.... except that for Adobe the default is "do not open" while for the "fixed" FoxIt the default is "open". Yeah, much more secure than Adobe, clearly.... In other news, let me remind you that all your web browsers are insecure: Someone can use "social engineering" techniques to get you to visit a web page, download a binary from there (trojan, maybe), and execute it. All you need to do is click a link, answer "Yes, run!" to the warning dialogs, and BAM! you're infected. Quite similar with this PDF "exploit", in fact.. So stop using your web browser, it exposes you to a serious security vulerability.... even if you disable Javascript! :D