Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

New PDF Exploit, Doesn't Use A Vulnerability


  • Please log in to reply
20 replies to this topic

#1 Andrew

Andrew

    Bleepin' Night Watchman


  • Moderator
  • 8,259 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Right behind you
  • Local time:03:08 AM

Posted 31 March 2010 - 05:49 PM

A researcher named Didier Stevens has announced his discovery of a way to execute arbitrary code by creating a specially crafted PDF file. The PDF file doesn't exploit any actual "vulnerability" in Adobe's reader application as most previous PDF exploits have, but rather takes advantage of functionality built into the PDF standard.

PDF readers such as Adobe's Acrobat Reader and competitor Foxit Reader disallow embeded executables, PDFs are able to define actions to be taken when the PDF is opened by using so-called /Launch /Action commands. Mr. Stevens takes advantage of this fact to create an exploit that theoretically can be launched against just about any platform, including Windows, Mac OSX, and Linux based operating systems for which there is a PDF reader that closely enough follows the PDF standard.

Reports indicate that Adobe Acrobat reader will prompt the user to allow the actions, but that the text of the alert box is partially controlled by the attacker, allowing for social engineering attempts. Foxit Reader doesn't even present an alert and merely executes the instructions. PDF Xchange Viewer, however, neither prompts the user nor executes the instructions.

Further reading:

Original Blog post
ZDNet Article
The Register article

Edited by Andrew, 31 March 2010 - 05:56 PM.


BC AdBot (Login to Remove)

 


#2 carri

carri

  • Members
  • 234 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Yorkshire, England
  • Local time:11:08 AM

Posted 31 March 2010 - 06:40 PM

Thanks Andrew. I stopped using adobe to read pdfs a few months back in favour of PDF Viewer. It is worrying that the text can be manipulated to say anything that the hacker wants it to according to Didier Stevens. I wonder how long it will take adobe to respond publicly to deal with this latest issue and reassure their customers?

Edited by carri, 31 March 2010 - 06:43 PM.

Posted Image
Hug someone today and get on their nerves!

#3 Layback Bear

Layback Bear

  • Members
  • 1,880 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Northern Ohio
  • Local time:05:08 AM

Posted 04 April 2010 - 08:46 AM

Thanks Andrew. I well keep checking adobe for security updates.

#4 Doeboy278x

Doeboy278x

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:05:08 AM

Posted 04 April 2010 - 07:13 PM

you should ad that people are using ads to infect computers. I'm on a fairly big website and over 15k members complained about getting a virus from a certain ad using this "exploit"

#5 Romeo29

Romeo29

    Learning To Bleep


  • Members
  • 3,194 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:127.0.0.1
  • Local time:05:08 AM

Posted 04 April 2010 - 09:09 PM

Foxit Reader has patched their software against this vulnerability on 2nd April, 2010. You can either download new version or update the installed Foxit Reader.

http://www.foxitsoftware.com/announcements/2010420408.html

#6 Stang777

Stang777

    Just Hoping To Help


  • Members
  • 1,821 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:04:08 AM

Posted 05 April 2010 - 04:14 AM

Do you guys think that if you have the program settings in a firewall set to not allow Adobe to run at all that it would prevent this type of attack?

#7 Andrew

Andrew

    Bleepin' Night Watchman

  • Topic Starter

  • Moderator
  • 8,259 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Right behind you
  • Local time:03:08 AM

Posted 05 April 2010 - 04:26 AM

Do you guys think that if you have the program settings in a firewall set to not allow Adobe to run at all that it would prevent this type of attack?

Well, yes. But then why even have Acrobat installed if it's disallowed from ever running?

#8 Stang777

Stang777

    Just Hoping To Help


  • Members
  • 1,821 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:04:08 AM

Posted 05 April 2010 - 02:47 PM

Thank you Andrew, that is what I was hoping.

There are a few reasons for keeping it installed. I am too lazy to uninstall it and install something different, especially since I cannot decide what program to use. I am not sure how to uninstall a version that is apparently still on my system, which is an even more outdated version than the one I use, since it is not showing up in the add/remove programs. I am hoping that when I uninstall the one I use, that other one will go with it but until I do it, I do not know that it will. But the main reason is, it is there if I need it.

I have it set to not be allowed to run so that it cannot be run at random by websites that might do bad things through it. If I have a document that I need to look at or go to a website that I trust that needs it, I can change the setting temporarily and allow it to run.

#9 Romeo29

Romeo29

    Learning To Bleep


  • Members
  • 3,194 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:127.0.0.1
  • Local time:05:08 AM

Posted 05 April 2010 - 03:26 PM

Stang777 for viewing PDF files, I use FoxitReader portable which I do not have to install on my system.
For the activex installed by Adobe Acrobat, I have not seen any site that uses it for anything else but to display PDF file inside the browser. If you dont have activex component in IE, or the plugin in Firefox then you would simply get a PDF download prompt. By the way, if you install FoxitReader, it also installs the activex in IE and plugin in Firefox, similar to Adobe.

#10 Andrew

Andrew

    Bleepin' Night Watchman

  • Topic Starter

  • Moderator
  • 8,259 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Right behind you
  • Local time:03:08 AM

Posted 05 April 2010 - 05:25 PM

I prefer PDF XChange Viewer. It seems to be supplanting Foxit as the alternative PDF reader of choice for a lot of others too.

#11 Stang777

Stang777

    Just Hoping To Help


  • Members
  • 1,821 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:04:08 AM

Posted 10 April 2010 - 11:03 PM

Thank you guys for the recommendations.

The differing views on these programs is why I am confused as to which one to install.

Romeo, I am also confused by the program you mentioned above. I just downloaded it but when I double click on it it appears it is going to install and I thought you were saying it does not need to be installed. Does it actually install on my system, and if not, how does it work?

From what I have read on the website you linked to about portable apps, it appears it needs to be run from a flash drive, is that correct or can I have the downloaded file on my hard drive to have it work?

Even after reading that website, I am confused as to how this program will work

Edited by Stang777, 10 April 2010 - 11:06 PM.


#12 Romeo29

Romeo29

    Learning To Bleep


  • Members
  • 3,194 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:127.0.0.1
  • Local time:05:08 AM

Posted 10 April 2010 - 11:49 PM

Romeo, I am also confused by the program you mentioned above. I just downloaded it but when I double click on it it appears it is going to install and I thought you were saying it does not need to be installed. Does it actually install on my system, and if not, how does it work?


That is not a setup to install files on your system and create shortcuts. Its a wizard which just copies the Foxit Reader files to a folder of your choice, preferably on a USB flash disk. Just proceed with the wizard and you would see.

#13 Stang777

Stang777

    Just Hoping To Help


  • Members
  • 1,821 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:04:08 AM

Posted 11 April 2010 - 01:05 AM

Ok, will do. Thank you for your help

#14 Layback Bear

Layback Bear

  • Members
  • 1,880 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Northern Ohio
  • Local time:05:08 AM

Posted 18 April 2010 - 08:37 AM

I must keep Adobe PDF for a training site I use now and again. Question; can I have two readers at the same time so I can pick and choose which one I want to use at any given time with out causing problems.

Edited by Layback Bear, 18 April 2010 - 08:37 AM.


#15 Romeo29

Romeo29

    Learning To Bleep


  • Members
  • 3,194 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:127.0.0.1
  • Local time:05:08 AM

Posted 18 April 2010 - 12:32 PM

Yes, Layback Bear.
You will need to create a script for modifying registry and you can switch back and forth.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users