Slashdot Mirror

← Back to Stories (view on slashdot.org)

Foxit One-Ups Adobe In Blocking PDF Attack Tactics

Posted by kdawson on from the can't-fox-us dept.

CWmike writes "Foxit Software, the developer of a rival PDF viewer to Adobe's vulnerability-plagued Reader, released an update on Tuesday that blocks some attacks with a 'safe mode' that's switched on by default. Foxit Reader 3.3 for Windows' 'Trust Manager' blocks all external commands that may be tucked into a PDF document. 'The Foxit Reader 3.3 enables users to allow or deny unauthorized actions and data transmission, including URL connection, attachment PDF actions, and JavaScript functions,' the update's accompanying text explains. Last week, several security companies warned of a major malware campaign that tried to dupe users into opening rigged PDFs that exploited an unpatched design flaw in the PDF format, one attackers could use to infect users of Adobe's and Foxit's software. That flaw in the PDF specification's '/Launch' function was disclosed in late March by Belgium security researcher Didier Stevens, who demonstrated how he could abuse the feature to run malware embedded in a PDF document. He also reported he had figured out how to change Adobe Reader's warning to enhance the scam."

28 of 112 comments (clear)

  1. If Foxit Can Do It ... by WrongSizeGlass · · Score: 5, Funny

    ... then surely Adobe can do it. It's probably because Foxit is bigger and able to reassign resources better than Adobe ... oh wait ... how did Foxit beat Adobe on this fix?

    1. Re:If Foxit Can Do It ... by PPalmgren · · Score: 3, Interesting

      Foxit has something to gain from this. For a long time, Adobe only had money to lose by spending anything on their dominant reader that you *had* to use. It appears they haven't lost that mindset.

    2. Re:If Foxit Can Do It ... by Low+Ranked+Craig · · Score: 3, Interesting

      I don't think it's so much that they are lousy, I think it's that most companies simply send over source code and a spec and expect a working product back. We code review all changes and over 70% of fixes/enhancements from the Indian dev team were rejected on the first go, as compared to less than 20% for the team in California. Of course since the VP of engineering is originally from India and the outsourcing is his baby, the program is "doing really well".

      --
      I still cannot find the droids I am looking for...
    3. Re:If Foxit Can Do It ... by Hurricane78 · · Score: 3, Insightful

      But since the average amount of registry entries is around 100,000 and the average amount of files is around what, 50,000? (Not even counting different versions and different configuration file entries), wouldn’t that mean

      230 * 100,000 * 50,000 = 150 trillion "different platforms" or 25 * 150 trillion = 3,75 quadrillion different configurations? ;)

      Or is it just, that when you make not really different setups count (like languages, which are not part of the code to test in such multilingual apps, or not actually different versions of Windows or Linux), that you can come up with whatever insane number you want? ;)

      --
      Any sufficiently advanced intelligence is indistinguishable from stupidity.
    4. Re:If Foxit Can Do It ... by RealGrouchy · · Score: 2, Interesting

      Indeed, one of my mac users was sent a PDF that had been marked up with Foxit by a volunteer. The markup only shows in Foxit reader, which is only available on Windows. A complete waste of the volunteer's time.

      - RG>

      --
      Hey pal, this isn't a pleasantforest, so don't waste my time with pleasantries!
    5. Re:If Foxit Can Do It ... by lpq · · Score: 2, Interesting

      Adobe has the mindset of a monopolist. In their markets they often are. There support is shoddy to non-existent and their innovation is down. A few years back to cement their position with their graphics tools as dominant (Photoshop et. al), they started requiring those wishing to develop plug-ins to adopt exclusive licensing with Adobe, where adobe could halt sales of their plug-in with any other competing product, if it was determined that it out-performed adobe's product. Most plugin developers don't bother with image editing products outside of photoshop now.

      Their licensing mechanism sucks... they sold me a bill of good about functionality, regarding products in there Creative Suite 4 package. I bought 3 of them separately -- turns out that their tools that ties all of the together 'Bridge' only will enable suite
      color management if it detects a package license, it won't enable separately bought pieces to work together. It only took me 3 months to get them to admit it was a broken conditional in their license processing in "Bridge" -- they then proceeded to issue me a new license -- for another single copy of photoshop. When I said that wasn't acceptable -- it had to be for all the products I'd purchased (because that's what the documentation says will work), they said I'd have to talk to customer service and would move it back there (I'd gone from customer service to technical, and then back again, and then technical and now again to C.S). That was about a month ago and I haven't heard from them since. Unfortunately I've been too tied up with other more pressing issues than to worry about their broken licensing model.

      But basically their support sucks -- they have some wiz bang products that do great things, but prey you don't need technical support.

      Their technical support people are way in over their heads (at least the ones I dealth
      with).

  2. Hey! This thing has code! Were you expecting that? by LostCluster · · Score: 4, Insightful

    They used to say there was no way an image file or text doc could spread a computer virus... then buffer overruns were discovered in image handlers, and Microsoft added VBA macros that basically had the full power of Visual Basic at its disposal to Office, and away it went!

    Now, I make my living writing Visual Basic, so there's no way I want to see VBA going away. Still there needs to be some safety to prevent a VBA macro from using unknowing users' computers from flooding the Internet with useless traffic... and the solution is pretty simple: If an Office doc contains VBA code, a warning is shown to the user asking them if they trust the source of the file, and would like the code to be enabled. If the user declined, macros won't run but users can see the static content in the file.

    So.. that's the solution being employed here. They're effectively saying "Hey, this PDF is using network functionality, do you trust it to do that?" That should shut off the threat vector while still allowing the functionality to be used in trustworthy situations... why isn't this something in Adobe's official reader yet?

  3. Re:Hey! This thing has code! Were you expecting th by just_another_sean · · Score: 4, Insightful

    The only problem with all that is that most users just shrug and say, um, sure -> OK.
    IMHO, for corporate use anyway, Foxit should add some way to leave the default "don't let
    it run" enabled and prevent users from turning it off. Just to give us poor, overworked
    sysadmins a way to prevent non-root/non-Administrator user "Just click OK" (TM) syndrome.

    I believe MS does provide a way to handle the VBA situation you described but it's been
    a while so not 100% sure

    --
    Creationist Textbook Stickers Declared Unconstitutional by CowboyNeal
  4. Why wasn't this implemented from day one? by ProdigyPuNk · · Score: 5, Insightful

    Is this really a "feature" that should be celebrated? This should have been implemented since the beginning. If you're making a PDF reader, and the PDF spec has an "execute" functionality, shouldn't everyone developing these programs have seen the spec and realized what this could do?

    1. Re:Why wasn't this implemented from day one? by noidentity · · Score: 2, Interesting

      There's always someone who comes along and says "it'd be useful if you could do this", be it "execute code embedded in a PDF" or "not have to remember or enter an annoying PIN code number when using the ATM". Never mind that the costs of adding this outweigh the benefit, so it gets added. And at some point, someone creates a new, just-a-freakin'-reader, and the cycle begins anew. Depressing.

  5. Re:Hey! This thing has code! Were you expecting th by ProdigyPuNk · · Score: 2, Funny

    I'm almost done a "Database Design and Development" course at college. Turns out the course entirely relies on MS Access (not exactly what I had in mind when signing up). Anyway, in the later part of the course macros/VBA was embedded in the example files, and one of the first instructions in the book was always "Enable the contents" - but the book never bothered mentioning why the warning was there and what the purpose was. I'm sure at least half of my computer science major peers would click OK without thought.

  6. Sort of... by ProdigyPuNk · · Score: 2

    "It doesn't disable JavaScript entirely," Xiong said. "It only partially disables JavaScript."

    That line really bothers me. How many times before have ways been found around things like SQL sanitization procedures? Why not block ALL javascript unless it's explicitly enabled? I can't believe that they would let that go.

    1. Re:Sort of... by Shados · · Score: 2, Informative

      That line really bothers me. How many times before have ways been found around things like SQL sanitization procedures?

      -Extremely few-, if you're talking about correct SQL management. The only one that comes to mind among serious RDBMSs (DB2, Sybase, SQL Server, Oracle, Postgres...) was a datatype exploit in Oracle that only worked locally, AND was more theoritical than anything.

      Parameterized queries (the only good way of handling "sql sanitization") are virtually flawless. Now, if you're talking about string escaping, as is very popular on PHP/MYSQL stacks...well, yeah, thats swiss cheeze, dangerous, and bad practice (and unfortunately extremely popular)

  7. Adobe is down down down by rcastro0 · · Score: 4, Informative

    Is it a coincidence that I read that Adobe is losing the grip on PDF just a few days after I read Job's "Thoughts on Flash", essentially dumping Flash from iPhones/iPads, and burning it at a stake? Or is Adobe's strategy really failing spectacularly before our own eyes?

    I should've seen it coming -- I haven't used Acrobat Reader for years. PDF Xchange Viewer is my current favorite, though Foxit was my first off-Adobe alternative, back when.

    --
    Quem a paca cara compra, paca cara pagará.
    1. Re:Adobe is down down down by Low+Ranked+Craig · · Score: 2, Interesting

      +1 on PDF Xchange (for Windows) That was the only 64-bit reader I could find at the time and it worked really well. On my mac I simply go with Preview.app. Acrobat is a bloated pig and is to be avoided along with Flash, although I'll probably need to get a Core i7 box because I NEED Photoshop - I think Adobe took lessons from Microsoft on how to incorporate more bloat during Vista development.

      --
      I still cannot find the droids I am looking for...
    2. Re:Adobe is down down down by Culture20 · · Score: 2, Insightful

      And there are a lot of companies, big and small, that are learning about pdf printing via open source tools, making Acrobat a waste of money. If Acrobat isn't being used to create the documents, why use Acrobat Reader?

  8. Safe computing? by cdrguru · · Score: 3, Insightful

    The problem is that the PDF specification was created at a point in time when you had a reasonable expectation that software would not do bad things to your computer intentionally.

    A method to invoke an external program was put there for flexibility I am sure and it did offer a reasonable way to extend the functionality of the PDF document structure. The same thing is in WinHelp, for exactly the same reason. It allows a "tutortial" document that by clicking on active parts would invoke external programs to do things.

    Now we have a situation where virtually nothing can be trusted to do what it is claiming to do. If you get an email with a file with any sort of active content in it you can assume that it will do something bad.

    Where 15 years ago "active content" was something to be desired and provided extensability, today "active content" is a way to compromise computers and steal from people. A significant problem for Adobe (and plenty of others) is how to eliminate the possibility of bad things happening with active content while retaining the functionality? Today, I would say active content has to go, period. Anyone that is using and relying this needs to change their methods.

    It is a pity that we have to give up flexibility and extensability because of criminals that we cannot or will not police.

  9. Re:Hey! This thing has code! Were you expecting th by sznupi · · Score: 2, Funny

    Now, I make my living writing Visual Basic...

    And you freely admit it here?... ;)

    --
    One that hath name thou can not otter
  10. Re:Hey! This thing has code! Were you expecting th by Anonymous Coward · · Score: 2, Funny

    Ar
    e you sure that some of your mac hines aren't alr
    eady
    in fect
    ed?

  11. Re:FoxIt for Linux? by ichthyoboy · · Score: 5, Informative

    You mean like they already have?

  12. Replace PDF with PTF by postmortem · · Score: 2, Funny

    Plain Text Format!

    Even companies such as Adobe, Microsoft, and Apple with joint efforts could eventually make TXT format readers that have next-to-0 security holes. :)

  13. Re:Hey! This thing has code! Were you expecting th by Anonymous Coward · · Score: 3, Insightful

    There simply should not be active content in a PDF. PDF means "portable document format", not "program-distribution file". I believe the sane specification is called PDF/A (A for "archive"): No external references, no active content (no scripting, no video, no audio, no actions), no encryption, no blocking print or copy. PDF readers should have a simple preferences toggle: [x] restrict to PDF/A subset.

  14. Re:FoxIt for Linux? by Culture20 · · Score: 2, Informative

    Just install Xpdf/evince and be happy. You don't need embedded crap in your documents.

    And if cross-platform is what you're worried about, install evince on Windows. http://download.gnome.org/binaries/win32/evince/2.30/evince-2.30.0.msi

  15. Re:Hey! This thing has code! Were you expecting th by Vellmont · · Score: 2, Insightful


    Still there needs to be some safety to prevent a VBA macro from using unknowing users' computers from flooding the Internet with useless traffic

    Yes, it's called a sandbox. Let the VBA code run in a very limited environment, specifically don't let it access the filesystem or the internet. What's so hard about that?

    and the solution is pretty simple: If an Office doc contains VBA code, a warning is shown to the user asking them if they trust the source of the file

    You've never actually watched people other than computer experts use a computer, have you? If you had you'd realize they ignore those long, boring, cryptic messages unknowing programmers such as yourself put up in front of them. They don't care, and they just want to get their work done. By relying on this approach that "the user will know what to do in this situation!" (when in fact they have no idea and are just confused) you've trained people to simply click through these messages in hopes that the program will work anyway (which sometimes it does).


    So.. that's the solution being employed here. They're effectively saying "Hey, this PDF is using network functionality, do you trust it to do that?"

    What the hell happened to the approach of my document just being a damn document, and not having to try to have all these whizz-bang features of accessing the internet? The fill in forms are neat and useful, but that doesn't require anything but a sandbox. Putting a scripting language in a format people commonly exchange is just stupid, and will only lead to more security problems. The shit adobe has pulled off has lead me to stop trusting reader entirely, and just use alternative PDF readers in hopes they're not programmed by idiots who just want to add more gold plating and whizz-bang features to an application that was essentially "done" about 10 years ago.

    --
    AccountKiller
  16. This is why PDF should be abandoned by Arancaytar · · Score: 2, Insightful

    There is absolutely no excuse for using PDF unless you need the Flashy extra features like forms. As a device-independent printable format, PostScript and DVI are superior as well as devoid of code execution or networking features.

    We've almost taught people not to send Office documents in emails - next step, eradicate PDFs.

    1. Re:This is why PDF should be abandoned by flyingfsck · · Score: 3, Informative

      Uhhh, got news for you. Postscript is a programming language. Someone with too much time on his hands even wrote a chess program in postscript.

      --
      Excuse me, but please get off my Pennisetum Clandestinum, eh!
  17. What I really want to know is... by bit9 · · Score: 2, Insightful

    Blocking PDF exploits is a great first step, but is there a way to detect infected PDF files, and disinfect them? I have no problem leaving Foxit permanently in safe mode, but it would be nice to be able to trust a PDF file once in a while, and be able to turn the JavaScript/etc back on for files I trust.

  18. Since I can't change behavior... by drumcat · · Score: 5, Informative

    As an IT admin, I'm not getting anyone to drop PDF as a format. That's insane. But this, along with the 9.2 update installing McAfee without permission, has made me decide my company will be moving to Foxit. Adobe has screwed me for the last time. For anyone's info, if you have Reader 9.0, without the McAfee install selected, and you then do a "Check for updates" update from within the program, McAfee AV will be installed. I now have to UNinstall it from a shit-ton of machines. Adobe is famous for bad installers, but this takes the cake.