Slashdot Mirror

← Back to Stories (view on slashdot.org)

No JavaScript Needed For New Adobe Exploits

Posted by CmdrTaco on from the this-will-end-badly dept.

bl8n8r writes "More woes for Adobe as a security firm creates a proof-of-concept attack that injects malicious code as part of the update process. The user only needs to click a dialog box to execute the code and no JavaScript is needed to launch the exploit. The exploit affects Foxit as well as Adobe Acrobat software. This exploit is made possible through the host software allowing execution of system binaries. Not clear if it's multi-platform, but seems plausible."

14 of 187 comments (clear)

  1. Linux is vulnerable too by sopssa · · Score: 3, Informative

    Since it's part of the PDF specs, it should work in Linux too. What's even worse than with Windows is that since 'rm' is just a normal binary the PDF can launch that, and if you run as root privileges, just issue a command like "rm -rf /". If you don't run as root, then for example Ubuntu should give you the sudo box to input password to. This of course being just one of the examples it could do. Remember that most malware doesn't even need root access to function.

    Another reason why it would be even more serious on Linux is the way you can pipe commands and how most systems come pre-packaged with a ton of little utility apps. You can create the whole malware with a series of commands, or wget a bash script from the internet and start that to hide even more malware in the system. Since most Linux systems dont even have the kind of application firewalls or antiviruses that Windows does, and because the Internet accessing is actually done via wget, they don't even get any kind of a "Give internet access to this application?" dialog.

    It also doesn't help at all that most Linux users (especially those who are told so by the geeks!) believe that Linux cannot get malware. In my opinion this is a really stupid thing to do from those promoting Linux or Mac OS X as it will just lead to false sense of security.

    1. Re:Linux is vulnerable too by caffeinemessiah · · Score: 4, Informative
      Maybe you should actually, you know,...use Linux before you attempt to troll about security.

      What's even worse than with Windows is that since 'rm' is just a normal binary the PDF can launch that, and if you run as root privileges, just issue a command like "rm -rf /". If you don't run as root, then for example Ubuntu should give you the sudo box to input password to. This of course being just one of the examples it could do. Remember that most malware doesn't even need root access to function.

      Nobody uses the root account in Linux for everyday activity. In Ubuntu, root login is even disabled by default (you have to sudo). So no worries about the system in general. Although it's pretty devastating to issue a "rm -rf ~" to delete the user's home directory, it's on par with Windows. Then you say that most malware doesn't even need root access to function, but on all the millions of XP boxes out there, it's already given root access by default.

      Another reason why it would be even more serious on Linux is the way you can pipe commands and how most systems come pre-packaged with a ton of little utility apps. You can create the whole malware with a series of commands, or wget a bash script from the internet and start that to hide even more malware in the system.

      Windows has a pipe function too, in addition to being able to zoink your whole file system with a simple "del". It also comes with ftp and telnet, which are handy replacements for wget. In short telnet+response file = download an .exe from the web = any sort of functionality you might want using Unix command line tools.

      Your comment, sir, is vapid.

      --
      An old-timer with old-timey ideas.
    2. Re:Linux is vulnerable too by sopssa · · Score: 4, Informative

      If it can't boot after a vulnerability is exploited or you can't remove it within 30 minutes then have it count doubly so.

      The days when malwares purpose to trash the system to an unbootable state have been over for 15 years. Now a days you don't really even notice them being on your machine unless its one of those which show fake virus alerts. How would you notice if it just starts sending spam or sniffing your passwords?

      Another point is that you can fairly easily hide in a Linux system. If you absolutely need root access, there have been serious privilege escalation exploits over the years. Most of the Linux systems aren't even necessarily being patched consistently. I've seen one of these privilege exploits used on many hosting companies that usually keep their systems up to date and secure too. That beside the point that it's not usual that you even need root access.

  2. Dupe Dupe by Nerdfest · · Score: 5, Informative

    I believe this exploit has already been patched in FoxIT, assuming this is the same exploit descibed here on SlashDot 2 weeks ago. Strangely, I haven't seen an update from Adobe ...

    1. Re:Dupe Dupe by phayes · · Score: 4, Informative

      Yes, foxit has patched the vuln: http://forums.foxitsoftware.com//showthread.php?t=18044

      --
      Democracy is a sheep and two wolves deciding what to have for lunch. Freedom is a well armed sheep contesting the issue
  3. Re:Drop it like the disease it is by abigsmurf · · Score: 4, Informative

    You clearly didn't read the article or even the summary. This exploit affects Foxit too. It's an exploit of the PDF standard itself

  4. Linux is more Secure than Windows by headkase · · Score: 3, Insightful

    Linux is a lot different than running as root all the time on Windows. My security updates are pushed to me as they are fixed, not even pushing up to a month of vulnerability to patch unlike some systems meant to make corporate IT admins happy. All popular Linux distributions have an updating function: you get your security patches and patches to everything else in your repositories a lot more consistently than Windows. To deny this shows unfamiliarity with Linux. Thats even before you get into functions like selinux and apparmor which happen to be standard on my flavor. For everyone. This is also an Adobe bug, and doesn't affect most Linux PDF readers as far as I'm aware and even if it did I'd have a lot more faith that the Linux ones would be rendered immune more globally than the hodgepodge of updating (or lack of) systems on Windows. You're pointing the finger at Linux and saying: "You're vulnerable too!" But in the practical real world it is a case of not.

    --
    Shh.
    1. Re:Linux is more Secure than Windows by sopssa · · Score: 3, Insightful

      It's not an Adobe bug, it's a feature in the PDF specs that can be exploited with user stupidity. That's the point I've been trying to made, no OS unless it's completely locked down a la iPhone will protect you from user stupidity. Not Windows, not Linux, not BSD.

      Maybe Ubuntu pushes updates itself, but Debian, Fedora and CentOS doesn't. Not for me at least, and I haven't changed anything regarding that. If you want to update, you need to type in the yum update or apt-get update commands manually. And thats before we even get to programs or distros that have you compile themself and you have to make sure to periodically check them and keep them up to date.

    2. Re:Linux is more Secure than Windows by headkase · · Score: 4, Informative

      KPDF (now Okular) has specifically forbidden this behavior forever because it is a security risk. I use Okular myself so I am not vulnerable to this issue. Since it has been known so long to be a security issue in Linux-land why has Adobe allowed it so long? XPDF also is not vulnerable to this issue and so on. So it appears to be a tempest in a tea-cup for Linux and just another day on Windows.

      --
      Shh.
  5. Dupe by MobyDisk · · Score: 4, Informative

    Dupe from Slashdot, March 31st

  6. Re:Solution by Yvanhoe · · Score: 4, Insightful

    The attack requires the user of the computer to allow the code to be executed by agreeing to it via a dialog box. However, the attacker could at least partially control the content of the dialog box that appears to prompt the user to launch the executable and thus use social engineering to entice the computer user to agree to execute the malware, said Conway.

    Solution : stop accepting that documents should execute binaries in order to display properly.

    --
    The Wise adapts himself to the world. The Fool adapts the world to himself. Therefore, all progress depends on the Fool.
  7. Re:Code, meet data by Animats · · Score: 3, Interesting

    Because some genius thought that it was a great idea to put a launch command in the PDF spec.

    Yes. That should formally be removed from the ISO standard.

    I tried the proof of concept code in SumatraPDF, and it didn't work. But may be a bug in SumatraPDF; there's an error message about a sync file failure.

  8. Not really an exploit... by Skuld-Chan · · Score: 5, Informative

    This feature is in the PDF specification, and in fact in the youtube video you'll notice that the trust manager warning is pretty severe "only do this if you trust the PDF" sort of thing.

    To me its akin to downloading an EXE from a website with a browser and clicking the open button...

  9. Re:Drop it like the disease it is by Anonymous Coward · · Score: 4, Informative

    You clearly didn't read the last week's Slashdot article. This exploit is already fixed in Foxit.