Slashdot Mirror

← Back to Stories (view on slashdot.org)

No JavaScript Needed For New Adobe Exploits

Posted by CmdrTaco on from the this-will-end-badly dept.

bl8n8r writes "More woes for Adobe as a security firm creates a proof-of-concept attack that injects malicious code as part of the update process. The user only needs to click a dialog box to execute the code and no JavaScript is needed to launch the exploit. The exploit affects Foxit as well as Adobe Acrobat software. This exploit is made possible through the host software allowing execution of system binaries. Not clear if it's multi-platform, but seems plausible."

30 of 187 comments (clear)

  1. Linux is vulnerable too by sopssa · · Score: 3, Informative

    Since it's part of the PDF specs, it should work in Linux too. What's even worse than with Windows is that since 'rm' is just a normal binary the PDF can launch that, and if you run as root privileges, just issue a command like "rm -rf /". If you don't run as root, then for example Ubuntu should give you the sudo box to input password to. This of course being just one of the examples it could do. Remember that most malware doesn't even need root access to function.

    Another reason why it would be even more serious on Linux is the way you can pipe commands and how most systems come pre-packaged with a ton of little utility apps. You can create the whole malware with a series of commands, or wget a bash script from the internet and start that to hide even more malware in the system. Since most Linux systems dont even have the kind of application firewalls or antiviruses that Windows does, and because the Internet accessing is actually done via wget, they don't even get any kind of a "Give internet access to this application?" dialog.

    It also doesn't help at all that most Linux users (especially those who are told so by the geeks!) believe that Linux cannot get malware. In my opinion this is a really stupid thing to do from those promoting Linux or Mac OS X as it will just lead to false sense of security.

    1. Re:Linux is vulnerable too by headkase · · Score: 2, Interesting

      Runs with the same privileges as the parent program. So it can kill my home folder, not "rm -rf /" And like every other security hole found so far it will be written out. Considering they all get written out the fair comparison would be comparing number and severity of vulnerabilities by platform. If it can't boot after a vulnerability is exploited or you can't remove it within 30 minutes then have it count doubly so.

      --
      Shh.
    2. Re:Linux is vulnerable too by caffeinemessiah · · Score: 4, Informative
      Maybe you should actually, you know,...use Linux before you attempt to troll about security.

      What's even worse than with Windows is that since 'rm' is just a normal binary the PDF can launch that, and if you run as root privileges, just issue a command like "rm -rf /". If you don't run as root, then for example Ubuntu should give you the sudo box to input password to. This of course being just one of the examples it could do. Remember that most malware doesn't even need root access to function.

      Nobody uses the root account in Linux for everyday activity. In Ubuntu, root login is even disabled by default (you have to sudo). So no worries about the system in general. Although it's pretty devastating to issue a "rm -rf ~" to delete the user's home directory, it's on par with Windows. Then you say that most malware doesn't even need root access to function, but on all the millions of XP boxes out there, it's already given root access by default.

      Another reason why it would be even more serious on Linux is the way you can pipe commands and how most systems come pre-packaged with a ton of little utility apps. You can create the whole malware with a series of commands, or wget a bash script from the internet and start that to hide even more malware in the system.

      Windows has a pipe function too, in addition to being able to zoink your whole file system with a simple "del". It also comes with ftp and telnet, which are handy replacements for wget. In short telnet+response file = download an .exe from the web = any sort of functionality you might want using Unix command line tools.

      Your comment, sir, is vapid.

      --
      An old-timer with old-timey ideas.
    3. Re:Linux is vulnerable too by sopssa · · Score: 4, Informative

      If it can't boot after a vulnerability is exploited or you can't remove it within 30 minutes then have it count doubly so.

      The days when malwares purpose to trash the system to an unbootable state have been over for 15 years. Now a days you don't really even notice them being on your machine unless its one of those which show fake virus alerts. How would you notice if it just starts sending spam or sniffing your passwords?

      Another point is that you can fairly easily hide in a Linux system. If you absolutely need root access, there have been serious privilege escalation exploits over the years. Most of the Linux systems aren't even necessarily being patched consistently. I've seen one of these privilege exploits used on many hosting companies that usually keep their systems up to date and secure too. That beside the point that it's not usual that you even need root access.

    4. Re:Linux is vulnerable too by sopssa · · Score: 2

      I suspect it uses normal exec(), just like it works in every other program.

      Almost any Windows program doesn't require root/admin now a days, and if they do, it's for a reason. You can't really compare to Windows 98 and the programs from that age. If we go that route, we might as well start digging the hundreds of privilege escalation and remote exploits that Linux in its history has had.

      You also don't need to run the whole desktop as root. You can launch Firefox by typing "firefox" in terminal (either in text-mode terminal, or the terminals in X), if it just has a desktop to connect to. This is how you start applications to a remote X desktop like Xming too.

    5. Re:Linux is vulnerable too by gzipped_tar · · Score: 2, Insightful

      > so it all boils down to how knowledgeable the user is about security

      But you're the one who brought up this "Linux makes creating malware handier and stealthier" argument, and you're now resorting to the same old, tiring "user incompetence" excuse?

      And did you just pulled that argument from your ass, or have you actually worked on malware on Linux, Windows and Mac OS X and compared them before making that post?

      And yes, some people are creating a false sense of security around Linux. But aren't you creating a false sense of threat as well?

      It is not Linux that has made malware more threatening. Incompetent design (like this) and poor programming practice make has made malware possible, on all platforms, and now the popularity (or rather, low cost) of incompetent design and poor programming is making it rampant.

      But next perhaps someone will tell me that Linux is doomed because most distros ship gcc and gdb by default and they're used to create malware.

      --
      Colorless green Cthulhu waits dreaming furiously.
    6. Re:Linux is vulnerable too by thuerrsch · · Score: 2, Informative

      Well said. Also don't forget that Evince, the default pdf viewer in Gnome and in Ubuntu, is immune to this exploit, as confirmed by several comments on Didier Stevens' original announcement.

      So here we have another good reason not to use Acrobat Reader on Linux (or on anything else, for that matter), but also not to trust closed-source alternatives like FoxIt. Evince is fast, efficient, easy to use, has all the necessary features, nothing more, nothing less. And hey, there's even a Windows version!

      --
      most of what follows is true
  2. Solution by abigsmurf · · Score: 2, Interesting

    Have the dialogue control specify that you are potentially allowing the PDF to alter other documents (maliciously or otherwise).

    It's not exactly the first time a method of using social engineering to trick people has been part of a standard. Altering the status bar in JavaScript in order to aid phishing attacks was one.

    1. Re:Solution by Yvanhoe · · Score: 4, Insightful

      The attack requires the user of the computer to allow the code to be executed by agreeing to it via a dialog box. However, the attacker could at least partially control the content of the dialog box that appears to prompt the user to launch the executable and thus use social engineering to entice the computer user to agree to execute the malware, said Conway.

      Solution : stop accepting that documents should execute binaries in order to display properly.

      --
      The Wise adapts himself to the world. The Fool adapts the world to himself. Therefore, all progress depends on the Fool.
  3. Dupe Dupe by Nerdfest · · Score: 5, Informative

    I believe this exploit has already been patched in FoxIT, assuming this is the same exploit descibed here on SlashDot 2 weeks ago. Strangely, I haven't seen an update from Adobe ...

    1. Re:Dupe Dupe by sopssa · · Score: 2, Informative

      Yes, Foxit patched it last week. It uses the same technique so the Foxit patch should work, but this new "exploit" just takes it a bit further in that the malware can be embedded in the PDF file.

    2. Re:Dupe Dupe by phayes · · Score: 4, Informative

      Yes, foxit has patched the vuln: http://forums.foxitsoftware.com//showthread.php?t=18044

      --
      Democracy is a sheep and two wolves deciding what to have for lunch. Freedom is a well armed sheep contesting the issue
  4. Re:Drop it like the disease it is by abigsmurf · · Score: 4, Informative

    You clearly didn't read the article or even the summary. This exploit affects Foxit too. It's an exploit of the PDF standard itself

  5. Google Docs by areusche · · Score: 2, Interesting

    Screw adobe and other client side PDF readers. Am I vulnerable if I use Google's PDF viewer to view PDFs?t

  6. Linux is more Secure than Windows by headkase · · Score: 3, Insightful

    Linux is a lot different than running as root all the time on Windows. My security updates are pushed to me as they are fixed, not even pushing up to a month of vulnerability to patch unlike some systems meant to make corporate IT admins happy. All popular Linux distributions have an updating function: you get your security patches and patches to everything else in your repositories a lot more consistently than Windows. To deny this shows unfamiliarity with Linux. Thats even before you get into functions like selinux and apparmor which happen to be standard on my flavor. For everyone. This is also an Adobe bug, and doesn't affect most Linux PDF readers as far as I'm aware and even if it did I'd have a lot more faith that the Linux ones would be rendered immune more globally than the hodgepodge of updating (or lack of) systems on Windows. You're pointing the finger at Linux and saying: "You're vulnerable too!" But in the practical real world it is a case of not.

    --
    Shh.
    1. Re:Linux is more Secure than Windows by sopssa · · Score: 3, Insightful

      It's not an Adobe bug, it's a feature in the PDF specs that can be exploited with user stupidity. That's the point I've been trying to made, no OS unless it's completely locked down a la iPhone will protect you from user stupidity. Not Windows, not Linux, not BSD.

      Maybe Ubuntu pushes updates itself, but Debian, Fedora and CentOS doesn't. Not for me at least, and I haven't changed anything regarding that. If you want to update, you need to type in the yum update or apt-get update commands manually. And thats before we even get to programs or distros that have you compile themself and you have to make sure to periodically check them and keep them up to date.

    2. Re:Linux is more Secure than Windows by The+End+Of+Days · · Score: 2, Insightful

      You don't run as administrator in Windows anymore, either. Security updates are likewise pushed in windows. Windows has an updating function. Your statements all show unfamiliarity with Windows.

      This is not an Adobe bug, this is a vulnerability in the PDF spec. Readers not from Adobe have already been shown to be vulnerable.

      Linux is not immune, despite your specious claims.

    3. Re:Linux is more Secure than Windows by headkase · · Score: 4, Informative

      KPDF (now Okular) has specifically forbidden this behavior forever because it is a security risk. I use Okular myself so I am not vulnerable to this issue. Since it has been known so long to be a security issue in Linux-land why has Adobe allowed it so long? XPDF also is not vulnerable to this issue and so on. So it appears to be a tempest in a tea-cup for Linux and just another day on Windows.

      --
      Shh.
    4. Re:Linux is more Secure than Windows by sopssa · · Score: 2, Insightful

      Xpdf and Okular on Windows aren't vulnerable either.
      Adobe PDF Reader on Linux is vulnerable.

      This goes to show that it doesn't matter which the OS is, as it's mostly about software or user stupidity. Windows and Linux are on par in this, neither one is better than the another. There is SELinux for Linux which can mitigate the issue, but there are such tools and settings for Windows too. Not that any casual user will put up with those in either system.

    5. Re:Linux is more Secure than Windows by jawtheshark · · Score: 2, Informative

      Try running most Windows XP software and see what happens.

      I keep hearing this repeated ad infintum. Since Win XP SP2, most software got adapted so it could run as Limited user. Even game developers got the message. The Sims 2 initially came out as "Admin only". That was patched within months when people complained.

      Anyway, even for non-behaving software, it is usually a matter of setting User-Write-Permissions on the folder of the misbehaving application. If that doesn't help, set User-Write-Permission to the subkey the application created in HKEY_LOCAL_MACHINE. Fixes 99% of the applications. If anyone bothered, this could be automated with a script or an appplication that has a database with known misbehaving applications and the necessary fixes. If people can make something like "the PC decrapiefer", this should be feasible too.

      Anyone with a remote clue can run Windows XP entirely as Limited User (for day to day operations, of course).

      Only slightly related: this is why removing the Security tab in the Home Version of XP was a bad idea. I know there was a way to install it again, but I never found it back.

      --
      Ahhh...the great dumpster continuum. Many a free computer will be found there. -- sowth (748135)
    6. Re:Linux is more Secure than Windows by Mister+Whirly · · Score: 2, Insightful

      To pretend that one OS is inherently superior in security over another also borders on incredulous. Anytime a specific OS is mentioned in a security discussion, that person has lost the discussion, and does not understand the entire concept of security. Security isn't software. Security isn't an operating system. Security is a set of practices and policies that apply to all software and operating systems regardless of what specific type they are.

      --
      "But this one goes to 11!"
    7. Re:Linux is more Secure than Windows by hairyfeet · · Score: 2, Informative

      BTW if you either go to the Foxit site or even better run Filehippo update checker which will keep your Windows machine up to date with regards to 3rd party programs, you'll see that Foxit has already released a new version that fixes the bug.

      So the TFA should probably read "affects previous versions of Foxit" as like Firefox Foxit is great about getting patches out there quickly when threats are found.

      --
      ACs don't waste your time replying, your posts are never seen by me.
  7. Re:Microsoft to Blame by sopssa · · Score: 2, Insightful

    Most malware doesn't need root/admin access. It's only needed if you want to pwn or hack the server. Malware on the other hand runs just happily in userland too.

  8. Dupe by MobyDisk · · Score: 4, Informative

    Dupe from Slashdot, March 31st

  9. Re:Code, meet data by Tridus · · Score: 2, Insightful

    Because some genius thought that it was a great idea to put a launch command in the PDF spec.

    Seems like it's working as intended.

    --
    -- "So they told me that using the download page to download something was not something they anticipated." - Bill Gates
  10. Re:Code, meet data by Animats · · Score: 3, Interesting

    Because some genius thought that it was a great idea to put a launch command in the PDF spec.

    Yes. That should formally be removed from the ISO standard.

    I tried the proof of concept code in SumatraPDF, and it didn't work. But may be a bug in SumatraPDF; there's an error message about a sync file failure.

  11. Re:Drop it like the disease it is by clone53421 · · Score: 2, Interesting

    As it’s apparently a standard PDF feature, giving it a shot to run whatever command line its author desires...

    Yeah, it would affect anything that supported that feature.

    Note that the clean pdf, after it is infected, pops up the window asking to run “firefox.exe sudosecure.net”. I’m not sure exactly how he did it, but note that there is a huge mass of text (judging from the scrollbar) above the “it’s okay, let me do this” message in the evil pdf. He’d have to somehow create a malicious binary and then execute it. One suspicion I have... a polyglot.

    evil.txt:

    %bad stuff here... bla bla bla, execute me from the command prompt

    Then...

    copy /b evil.txt + clean.pdf evil.pdf

    Result: evil.pdf opens just fine in Acrobat Reader, but it has the injected code at the beginning, disguised as a comment.

    No comment of whether it is specific to 32-bit or 64-bit versions of Windows... and why might that be significant, you ask? Because 64-bit versions of windows do not include DEBUG.EXE.

    --
    Alexander Peter Kristopeit bought his basement from his mommy for one dollar.
  12. OT: Do non-Adobe PDF apps less vulnerable? by guanxi · · Score: 2, Interesting

    Would switching to a non-Adobe PDF viewer make you safer? I understand this exploit affects Foxit, but there are many other exploits and PDF viewers (MacOS X's Preview, Ghostview/GSView, CutePDF, Nitro, etc.).

    Usually the headline says the exploits are in Acrobat; and given Adobe's much larger installed base, they are a much more likely target; but perhaps the exploits are really in PDFs (or JavaScript) in general.

  13. Not really an exploit... by Skuld-Chan · · Score: 5, Informative

    This feature is in the PDF specification, and in fact in the youtube video you'll notice that the trust manager warning is pretty severe "only do this if you trust the PDF" sort of thing.

    To me its akin to downloading an EXE from a website with a browser and clicking the open button...

  14. Re:Drop it like the disease it is by Anonymous Coward · · Score: 4, Informative

    You clearly didn't read the last week's Slashdot article. This exploit is already fixed in Foxit.