What's important to realize, however, is that Charlie's fuzzing run was based on a set of PDF files that he chose. It's not stated whether any of the seed PDF files contained any flash objects or 3D or JavaScript or any of the other features that contribute to the size of Adobe Reader.
But that should be an eye-opener for you. Preview doesn't come with support for Flash. Or probably a whole slew of other features that Reader supports. In addition to code quality, the attack surface (or lack thereof) and popularity are also major factors of the risk of using a particular product.
I don't think anybody believes that e.g. SumatraPDF is written in some special, uncrashable way. That would just be naive. But the much smaller attack surface combined with greater obscurity could be the motivating factor for some people.
I've tested the latest 10.2 preview of Flash and it is vulnerable. The US-CERT vulnerability note has been updated to reflect this: http://www.kb.cert.org/vuls/id/298081
When you "activate" the modem with your internet provider, they load their own firmware onto the modem. DOCSIS includes a requirement that firmware updates must be able to occur remotely, and defines several approaches to support this capability. (tftp specified via the config file provided during provisioning, or via snmp)
So while you may "own" the physical modem, your provider "owns" the modem logically.
It's clear that you and the moderators haven't bothered to actually read the article. The research and tools used for the attack were non-trivial, and the impact is remote code execution.
I don't understand why people mix up Flash and Flash video all the time. The latter is a small subset of the former. Can you really not conceptually tell the difference between a video playing at youtube and the content at http://www.homestarrunner.com/ ?
What you describe is "smart" or "generational" fuzzing, where you have a detailed knowledge of the target that you are fuzzing. The thing is, dumb (mutational) fuzzing is still effective. Very effective. Check out Charlie Miller's CanSecWest presentation - An analysis of fuzzing 4 products with 5 lines of Python http://securityevaluators.com/files/slides/cmiller_CSW_2010.ppt
In 3 weeks of (really) dumb fuzzing, 174 unique crashes in PowerPoint were discovered.
I don't get it. If your system has had Administrator-owned files replaced with malicious versions, then your system has already been compromised! Game over. It's already too late.
As you mentioned, disabling JavaScript helps. But you can also prevent PDFs from opening automatically with the plug-in, and also prevent them from opening automatically with the stand-alone reader. There are some other mitigations there as well.
Of course, this all requires manual configuration. There is no hope for the average home user.
Note that the above vulnerability note is not this particular vulnerability, but the same mitigations apply time and time again. The mitigations include:
- Enable DEP - Disable JavaScript - Disable automatic opening of PDF files by Internet Explorer - Disable the displaying of PDF files in your web browser
You've got the concept right, but you don't need to click on a malicious link in your browser. Simply visiting a malicious/compromised site in IE is enough. Or viewing a malicious email.
The article and summary are not clear, but you need to block *outoing* ports 139 and 445 at the firewall to help protect against this issue. The vulnerability is triggered by the system attempting to make an SMB connection to a malicious server. This can happen in a number of ways, such as viewing a web page in IE or viewing an email message in Outlook or Outlook Express.
If your firewall blocks outgoing 139 and 445, then the SMB connection attempt fails.
If the act of simply installing the software relies on violating DEP, do you think that perhaps may be an indication about the quality of the code itself? It may be time to think twice about whether you want it on your system. Uninstalling is probably easier and safer.
Just go ahead and check out these instructions on how to make "Holy Hand Grenades" and "Tower Busters". Granted, this is less destructive than knocking down towers, but the ignorance involved is just about as scary. http://www.youtube.com/watch?v=ccS70UQE0fE
Slashdot Mirror
The GP probably based his post on this presentation from Charlie Miller @ CanSectWest:
http://securityevaluators.com/files/slides/cmiller_CSW_2010.ppt
See slide 53 in particular.
What's important to realize, however, is that Charlie's fuzzing run was based on a set of PDF files that he chose. It's not stated whether any of the seed PDF files contained any flash objects or 3D or JavaScript or any of the other features that contribute to the size of Adobe Reader.
But that should be an eye-opener for you. Preview doesn't come with support for Flash. Or probably a whole slew of other features that Reader supports. In addition to code quality, the attack surface (or lack thereof) and popularity are also major factors of the risk of using a particular product.
I don't think anybody believes that e.g. SumatraPDF is written in some special, uncrashable way. That would just be naive. But the much smaller attack surface combined with greater obscurity could be the motivating factor for some people.
I've tested the latest 10.2 preview of Flash and it is vulnerable. The US-CERT vulnerability note has been updated to reflect this: http://www.kb.cert.org/vuls/id/298081
Try Secunia PSI. It will scan your system for any software that needs to be updated. http://secunia.com/vulnerability_scanning/personal/
When you "activate" the modem with your internet provider, they load their own firmware onto the modem. DOCSIS includes a requirement that firmware updates must be able to occur remotely, and defines several approaches to support this capability. (tftp specified via the config file provided during provisioning, or via snmp)
So while you may "own" the physical modem, your provider "owns" the modem logically.
It's clear that you and the moderators haven't bothered to actually read the article. The research and tools used for the attack were non-trivial, and the impact is remote code execution.
I don't understand why people mix up Flash and Flash video all the time. The latter is a small subset of the former. Can you really not conceptually tell the difference between a video playing at youtube and the content at http://www.homestarrunner.com/ ?
At least according to Didier:
http://blog.didierstevens.com/2010/04/06/update-escape-from-pdf/
What you describe is "smart" or "generational" fuzzing, where you have a detailed knowledge of the target that you are fuzzing. The thing is, dumb (mutational) fuzzing is still effective. Very effective. Check out Charlie Miller's CanSecWest presentation - An analysis of fuzzing 4 products with 5 lines of Python
http://securityevaluators.com/files/slides/cmiller_CSW_2010.ppt
In 3 weeks of (really) dumb fuzzing, 174 unique crashes in PowerPoint were discovered.
I don't get it. If your system has had Administrator-owned files replaced with malicious versions, then your system has already been compromised! Game over. It's already too late.
/reads and writes email in plain text, goddamn it!
If the only site you are visiting is the bank, I'd say the chances of getting compromised by a drive-by attack are greatly reduced.
http://www.theonion.com/content/news_briefs/classmates_com_employees
The problem is the handling of VBScript in IE. No other browser supports VBScript.
This US-CERT vulnerability note has details for steps for making Adobe Reader safe to use:
http://www.kb.cert.org/vuls/id/508357
As you mentioned, disabling JavaScript helps. But you can also prevent PDFs from opening automatically with the plug-in, and also prevent them from opening automatically with the stand-alone reader. There are some other mitigations there as well.
Of course, this all requires manual configuration. There is no hope for the average home user.
Tavis disclosed the ntvdm vulnerability in January, however it was reported to Microsoft on June 12, 2009.
http://lists.grok.org.uk/pipermail/full-disclosure/2010-January/072549.html
CERT has some suggestions for securing Adobe Reader here:
http://www.kb.cert.org/vuls/id/257117
Note that the above vulnerability note is not this particular vulnerability, but the same mitigations apply time and time again. The mitigations include:
- Enable DEP
- Disable JavaScript
- Disable automatic opening of PDF files by Internet Explorer
- Disable the displaying of PDF files in your web browser
e.g. a sentence. With capitalization and punctuation. You won't really have to worry about dictionary attacks that way.
Not quite. There's no JavaScript in the CSS, nor is there a buffer overflow.
The article left out the word "outbound". If you block everything (outbound) at the firewall, you are going to have some unhappy staff.
You've got the concept right, but you don't need to click on a malicious link in your browser. Simply visiting a malicious/compromised site in IE is enough. Or viewing a malicious email.
See my comment above:
http://it.slashdot.org/comments.pl?sid=1444692&cid=30114230
The article and summary are not clear, but you need to block *outoing* ports 139 and 445 at the firewall to help protect against this issue. The vulnerability is triggered by the system attempting to make an SMB connection to a malicious server. This can happen in a number of ways, such as viewing a web page in IE or viewing an email message in Outlook or Outlook Express.
If your firewall blocks outgoing 139 and 445, then the SMB connection attempt fails.
If the act of simply installing the software relies on violating DEP, do you think that perhaps may be an indication about the quality of the code itself? It may be time to think twice about whether you want it on your system. Uninstalling is probably easier and safer.
The correct term is "HTTPS". HTTPS, which can use various versions of SSL or TLS, is still mostly understood. Even by the pros.
Just go ahead and check out these instructions on how to make "Holy Hand Grenades" and "Tower Busters". Granted, this is less destructive than knocking down towers, but the ignorance involved is just about as scary.
http://www.youtube.com/watch?v=ccS70UQE0fE