Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

No JavaScript Needed For New Adobe Exploits

CmdrTaco posted more than 4 years ago | from the this-will-end-badly dept.

Security 187

bl8n8r writes "More woes for Adobe as a security firm creates a proof-of-concept attack that injects malicious code as part of the update process. The user only needs to click a dialog box to execute the code and no JavaScript is needed to launch the exploit. The exploit affects Foxit as well as Adobe Acrobat software. This exploit is made possible through the host software allowing execution of system binaries. Not clear if it's multi-platform, but seems plausible."

cancel ×

187 comments

Sorry! There are no comments related to the filter you selected.

Linux is vulnerable too (3, Informative)

sopssa (1498795) | more than 4 years ago | (#31749036)

Since it's part of the PDF specs, it should work in Linux too. What's even worse than with Windows is that since 'rm' is just a normal binary the PDF can launch that, and if you run as root privileges, just issue a command like "rm -rf /". If you don't run as root, then for example Ubuntu should give you the sudo box to input password to. This of course being just one of the examples it could do. Remember that most malware doesn't even need root access to function.

Another reason why it would be even more serious on Linux is the way you can pipe commands and how most systems come pre-packaged with a ton of little utility apps. You can create the whole malware with a series of commands, or wget a bash script from the internet and start that to hide even more malware in the system. Since most Linux systems dont even have the kind of application firewalls or antiviruses that Windows does, and because the Internet accessing is actually done via wget, they don't even get any kind of a "Give internet access to this application?" dialog.

It also doesn't help at all that most Linux users (especially those who are told so by the geeks!) believe that Linux cannot get malware. In my opinion this is a really stupid thing to do from those promoting Linux or Mac OS X as it will just lead to false sense of security.

Re:Linux is vulnerable too (2, Interesting)

headkase (533448) | more than 4 years ago | (#31749110)

Runs with the same privileges as the parent program. So it can kill my home folder, not "rm -rf /" And like every other security hole found so far it will be written out. Considering they all get written out the fair comparison would be comparing number and severity of vulnerabilities by platform. If it can't boot after a vulnerability is exploited or you can't remove it within 30 minutes then have it count doubly so.

Re:Linux is vulnerable too (4, Informative)

sopssa (1498795) | more than 4 years ago | (#31749222)

If it can't boot after a vulnerability is exploited or you can't remove it within 30 minutes then have it count doubly so.

The days when malwares purpose to trash the system to an unbootable state have been over for 15 years. Now a days you don't really even notice them being on your machine unless its one of those which show fake virus alerts. How would you notice if it just starts sending spam or sniffing your passwords?

Another point is that you can fairly easily hide in a Linux system. If you absolutely need root access, there have been serious privilege escalation exploits over the years. Most of the Linux systems aren't even necessarily being patched consistently. I've seen one of these privilege exploits used on many hosting companies that usually keep their systems up to date and secure too. That beside the point that it's not usual that you even need root access.

Linux is more Secure than Windows (3, Insightful)

headkase (533448) | more than 4 years ago | (#31749324)

Linux is a lot different than running as root all the time on Windows. My security updates are pushed to me as they are fixed, not even pushing up to a month of vulnerability to patch unlike some systems meant to make corporate IT admins happy. All popular Linux distributions have an updating function: you get your security patches and patches to everything else in your repositories a lot more consistently than Windows. To deny this shows unfamiliarity with Linux. Thats even before you get into functions like selinux and apparmor which happen to be standard on my flavor. For everyone. This is also an Adobe bug, and doesn't affect most Linux PDF readers as far as I'm aware and even if it did I'd have a lot more faith that the Linux ones would be rendered immune more globally than the hodgepodge of updating (or lack of) systems on Windows. You're pointing the finger at Linux and saying: "You're vulnerable too!" But in the practical real world it is a case of not.

Re:Linux is more Secure than Windows (3, Insightful)

sopssa (1498795) | more than 4 years ago | (#31749468)

It's not an Adobe bug, it's a feature in the PDF specs that can be exploited with user stupidity. That's the point I've been trying to made, no OS unless it's completely locked down a la iPhone will protect you from user stupidity. Not Windows, not Linux, not BSD.

Maybe Ubuntu pushes updates itself, but Debian, Fedora and CentOS doesn't. Not for me at least, and I haven't changed anything regarding that. If you want to update, you need to type in the yum update or apt-get update commands manually. And thats before we even get to programs or distros that have you compile themself and you have to make sure to periodically check them and keep them up to date.

Re:Linux is more Secure than Windows (4, Informative)

headkase (533448) | more than 4 years ago | (#31749694)

KPDF (now Okular) [kde.org] has specifically forbidden this behavior forever because it is a security risk. I use Okular myself so I am not vulnerable to this issue. Since it has been known so long to be a security issue in Linux-land why has Adobe allowed it so long? XPDF also is not vulnerable to this issue and so on. So it appears to be a tempest in a tea-cup for Linux and just another day on Windows.

Re:Linux is more Secure than Windows (2, Insightful)

sopssa (1498795) | more than 4 years ago | (#31749810)

Xpdf and Okular on Windows aren't vulnerable either.
Adobe PDF Reader on Linux is vulnerable.

This goes to show that it doesn't matter which the OS is, as it's mostly about software or user stupidity. Windows and Linux are on par in this, neither one is better than the another. There is SELinux for Linux which can mitigate the issue, but there are such tools and settings for Windows too. Not that any casual user will put up with those in either system.

Re:Linux is more Secure than Windows (1)

headkase (533448) | more than 4 years ago | (#31749848)

To say that Windows and Linux are on par for security borders on incredulous.

Re:Linux is more Secure than Windows (2, Insightful)

The End Of Days (1243248) | more than 4 years ago | (#31749470)

You don't run as administrator in Windows anymore, either. Security updates are likewise pushed in windows. Windows has an updating function. Your statements all show unfamiliarity with Windows.

This is not an Adobe bug, this is a vulnerability in the PDF spec. Readers not from Adobe have already been shown to be vulnerable.

Linux is not immune, despite your specious claims.

Re:Linux is more Secure than Windows (1)

daveime (1253762) | more than 4 years ago | (#31749570)

Why would any document markup language have an executable function at all ?

And why, if this really is "part of the PDF spec", has every single PDF reader implemented this crazy functionality ?

One time where "following standards" has fucked us all up I guess.

Re:Linux is more Secure than Windows (0, Troll)

headkase (533448) | more than 4 years ago | (#31749580)

You don't run as administrator in Windows anymore

Try running most Windows XP software and see what happens.

Security updates are likewise pushed in windows. Windows has an updating function

My update-manager updates all my installed programs. Windows Update does Windows and Office, everything else is hodgepodge.

Your statements all show unfamiliarity with Windows.

I am very familiar with Windows, it is one of the reasons I switched to Linux.

This is not an Adobe bug, this is a vulnerability in the PDF spec. Readers not from Adobe have already been shown to be vulnerable.

It is present in Adobe Reader, it has already been patched out of FoxIt and it never existed in XPDF.

Linux is not immune, despite your specious claims.

Linux is not immune but the singular fact that you are not running as root mitigates a lot of possible damage.

Re:Linux is more Secure than Windows (-1, Flamebait)

sexconker (1179573) | more than 4 years ago | (#31749800)

Try running most Windows XP software and see what happens.

Try running a Linux build from 8 and a half years ago and see what happens.

My update-manager updates all my installed programs. Windows Update does Windows and Office, everything else is hodgepodge.

Windows update updates windows.
Microsoft update updates windows, office, all other ms software, and any WHQL drivers.

I am very familiar with Windows, it is one of the reasons I switched to Linux.

Troll more, fag.

It is present in Adobe Reader, it has already been patched out of FoxIt and it never existed in XPDF.

It's a bug in the PDF spec. It affects Adobe Acrobat, Adobe Reader, Foxit versions up to whatever, etc. etc..

Linux is not immune but the singular fact that you are not running as root mitigates a lot of possible damage.

No it doesn't. Malware doesn't need root access to do shit. Nothing is mitigated anymore than it is on Windows, which you shouldn't have be running as root on ever since fucking NT.

Re:Linux is more Secure than Windows (-1, Offtopic)

headkase (533448) | more than 4 years ago | (#31749884)

Troll more, fag.

Since you don't have a clue and descended to name calling first I'll just state that you are an idiot and leave it at that.

Re:Linux is more Secure than Windows (0)

Anonymous Coward | more than 4 years ago | (#31749964)

While avoiding all of his insightful arguments that you don't want to answer to? That doesn't make you any better.

Re:Linux is more Secure than Windows (1)

headkase (533448) | more than 4 years ago | (#31750050)

Linux build from 8 years ago? XP is still widely in use so it is fair to mention it, the average Linux build on a home computer (the target of this attack - servers have to need for Adobe Reader) are well newer than 8 years! I guess having Free updates to newer versions makes it a lot easier to stay current. His second response agreed with me. The third called me a fag. The fourth said it was a bug in the spec when every PDF viewer - except Reader - on Linux doesn't follow that part of the spec for security, and his last point denies that running as root is more severe than a limited account along with stating that everyone but idiots shouldn't have been running as root since NT. Nevermind that all the software on XP is broken when you're not root.

Re:Linux is more Secure than Windows (0, Troll)

sopssa (1498795) | more than 4 years ago | (#31750234)

And it's not Windows fault that some users can't seem to update their system. Would it be Linux fault if I ran Red Hat 2?

His last point doesn't deny that running as root is more severe than limited account. It says most malware doesn't need admin/root access and is correct. Are you reading some other post than me?

every PDF viewer - except Reader - on Linux doesn't follow that part of the spec for security

You mean Adobe PDF Reader for Linux? It sure does.

Re:Linux is more Secure than Windows (0)

Anonymous Coward | more than 4 years ago | (#31749934)

Nearly all my software works on Windows XP as well (and doesn't run with admin privileges), does that count?

Re:Linux is more Secure than Windows (2, Informative)

jawtheshark (198669) | more than 4 years ago | (#31749972)

Try running most Windows XP software and see what happens.

I keep hearing this repeated ad infintum. Since Win XP SP2, most software got adapted so it could run as Limited user. Even game developers got the message. The Sims 2 initially came out as "Admin only". That was patched within months when people complained.

Anyway, even for non-behaving software, it is usually a matter of setting User-Write-Permissions on the folder of the misbehaving application. If that doesn't help, set User-Write-Permission to the subkey the application created in HKEY_LOCAL_MACHINE. Fixes 99% of the applications. If anyone bothered, this could be automated with a script or an appplication that has a database with known misbehaving applications and the necessary fixes. If people can make something like "the PC decrapiefer", this should be feasible too.

Anyone with a remote clue can run Windows XP entirely as Limited User (for day to day operations, of course).

Only slightly related: this is why removing the Security tab in the Home Version of XP was a bad idea. I know there was a way to install it again, but I never found it back.

Re:Linux is more Secure than Windows (1)

LordLimecat (1103839) | more than 4 years ago | (#31750110)

Try running most Windows XP software and see what happens.

Yes, I recommend that to all of my clients. Some software really wants access to program files, but thats fixed with cacls on the directory. Very few programs actually need admin, even quickbooks (whose tech support guys will insist it does). And for the programs that really really need it, theres always runas; you dont need your whole shell running with admin priveleges.

It is present in Adobe Reader, it has already been patched out of FoxIt and it never existed in XPDF.

If you will read the article on this from several days ago, you will see that there was a PDF released which runs calc on windows, xcalc on unix, and whatever macs have on OSX. It is VERY MUCH a spec issue, NOT a windows issue. To repeat, THIS HAS BEEN DEMONSTRATED ON LINUX.

Re:Linux is more Secure than Windows (0)

Anonymous Coward | more than 4 years ago | (#31750154)

When will people understand that on most of the *desktop* systems out there the only important thing (home) is exactly the only one which can get fscked up anyway even if not running as root.
They can sniff my cookies, my passwords, read my files, install an user mode bot, but hey they can't rm -rf /.

Is like knowing that someone can rape you, remove your arms and legs, burn your skin with acids, push sticks into your eyes but knowing that you can't die. I wonder if you are feeling safe because of that.

Re:Linux is more Secure than Windows (1)

shutdown -p now (807394) | more than 4 years ago | (#31750168)

Try running most Windows XP software and see what happens.

Unless you're running software that hasn't been updated in the last 5 years, it'll work just fine. For vast majority of home users, this will be the case. For enterprises, they may have a legacy line-of-business application written in 90s that needs Administrator - however, if you use a modern Windows OS (i.e. Vista/7), you just configure that particular application to request elevation when started.

In any case, Adobe PDF reader (or any third-party reader) most definitely doesn't require admin.

Oh, and even in XP days, being able to correctly work under unprivileged user account was a requisite for getting that "Designed for Windows XP" label on the box.

Re:Linux is more Secure than Windows (1)

commodore64_love (1445365) | more than 4 years ago | (#31749610)

Puppy Linux runs on root, so it would be vulnerable.

>>>doesn't affect most Linux PDF readers as far as I'm aware

Good point.

Re:Linux is vulnerable too (1)

gmuslera (3436) | more than 4 years ago | (#31749788)

Usually you don't use those linux servers on hosting companies as desktops where you run acrobat reader. And desktops/notebooks/etc are usually more frequently updated (both as using new distributions or with patches available in the case you prefer to stick with a non latest version).

But anyway, you don't need root access to do most of what botnets/spambots do, with plain user access is bad enough. And targetted attacks could access most of what the user do without needing to go root neither.

Re:Linux is vulnerable too (0)

Monkeedude1212 (1560403) | more than 4 years ago | (#31749112)

I was under the impression Most Linux users have also abandoned the PDF.

Re:Linux is vulnerable too (0, Flamebait)

RMS Eats Toejam (1693864) | more than 4 years ago | (#31749524)

Most Linux users only need PNG for viewing scanned comic book pages. They don't get as sticky as their paper counterparts.

Re:Linux is vulnerable too (0)

Anonymous Coward | more than 4 years ago | (#31749146)

Unless somehow xpdf is "infected" with the stupidity that a PDF can execute other things, which I seriously doubt, I'm in no danger.

Re:Linux is vulnerable too (-1)

carlhaagen (1021273) | more than 4 years ago | (#31749150)

Except that it has been shown to not work on other PDF readers than Acrobat.

Re:Linux is vulnerable too (1)

Lunix Nutcase (1092239) | more than 4 years ago | (#31749242)

Except that it has been shown to not work on other PDF readers than Acrobat.

The exploit affects Foxit as well as Adobe Acrobat software.

Re:Linux is vulnerable too (1)

LordLimecat (1103839) | more than 4 years ago | (#31750202)

It also affects PDF X-change, tho with a prompt

Re:Linux is vulnerable too (1)

sopssa (1498795) | more than 4 years ago | (#31749262)

Except that it has been shown to not work on other PDF readers than Acrobat.

Did you even read the two-line summary?

The exploit affects Foxit as well as Adobe Acrobat software.

And that's the only software tested with. It's part of the PDF specs, so its likely other PDF readers are affected too.

Re:Linux is vulnerable too (4, Informative)

caffeinemessiah (918089) | more than 4 years ago | (#31749220)

Maybe you should actually, you know,...use Linux before you attempt to troll about security.

What's even worse than with Windows is that since 'rm' is just a normal binary the PDF can launch that, and if you run as root privileges, just issue a command like "rm -rf /". If you don't run as root, then for example Ubuntu should give you the sudo box to input password to. This of course being just one of the examples it could do. Remember that most malware doesn't even need root access to function.

Nobody uses the root account in Linux for everyday activity. In Ubuntu, root login is even disabled by default (you have to sudo). So no worries about the system in general. Although it's pretty devastating to issue a "rm -rf ~" to delete the user's home directory, it's on par with Windows. Then you say that most malware doesn't even need root access to function, but on all the millions of XP boxes out there, it's already given root access by default.

Another reason why it would be even more serious on Linux is the way you can pipe commands and how most systems come pre-packaged with a ton of little utility apps. You can create the whole malware with a series of commands, or wget a bash script from the internet and start that to hide even more malware in the system.

Windows has a pipe function too, in addition to being able to zoink your whole file system with a simple "del". It also comes with ftp and telnet, which are handy replacements for wget. In short telnet+response file = download an .exe from the web = any sort of functionality you might want using Unix command line tools.

Your comment, sir, is vapid.

Re:Linux is vulnerable too (1)

Voulnet (1630793) | more than 4 years ago | (#31749278)

No one is saying Linux is about as secure as XP, but the OP is saying that because of the spreading culture among many Linux users that there is no way they can get malware, this type of attack might easily fly under the radar. No need to compare to XP because we all know it's not a fair comparison!

Re:Linux is vulnerable too (1)

sopssa (1498795) | more than 4 years ago | (#31749296)

"del" is a Windows command, not an application. It doesn't work the same way.

Also I know that most Linux users don't run as root - but just like with Windows, some people do it for convenience. Yes, there really are such people.. even I don't always su out of root even if some command between what I'm doing doesn't require root.

Re:Linux is vulnerable too (1)

headkase (533448) | more than 4 years ago | (#31749476)

even I don't always su out of root even if some command between what I'm doing doesn't require root

So how does this Adobe flaw get access to your root terminal to continue issuing commands? And if you are running your desktop session as root you are an idiot. Ubuntu doesn't even have root it has sudo and if you want to enable the root account ("sudo passwd root") you have to go out of your way to make your system insecure. The fact is that unlike Windows Linux programs are written to not require root. If you get a escalation prompt anywhere you didn't ask for it then that is proof enough that something nefarious is at work. The system is only as secure as you but by default Linux is more secure than Windows. You are free to move about from there.

Re:Linux is vulnerable too (2)

sopssa (1498795) | more than 4 years ago | (#31749638)

I suspect it uses normal exec(), just like it works in every other program.

Almost any Windows program doesn't require root/admin now a days, and if they do, it's for a reason. You can't really compare to Windows 98 and the programs from that age. If we go that route, we might as well start digging the hundreds of privilege escalation and remote exploits that Linux in its history has had.

You also don't need to run the whole desktop as root. You can launch Firefox by typing "firefox" in terminal (either in text-mode terminal, or the terminals in X), if it just has a desktop to connect to. This is how you start applications to a remote X desktop like Xming too.

Re:Linux is vulnerable too (1)

headkase (533448) | more than 4 years ago | (#31749802)

The fact remains and is insoluble right now that Windows allows root access more easily than Linux. You have to go out of your way to be root on Linux, XP (a very common operating system still in use) gives you root as a matter of course. And you can compare XP and Linux because both are commonly used right now. Vista will elevate on a whim and I'm sure 7 would too, at least with Linux when something tries to elevate you wonder why where with Windows you'd be right the majority of the time just assuming it was written for XP (if you're even not root) and allowing it blindly.

Re:Linux is vulnerable too (1)

LordLimecat (1103839) | more than 4 years ago | (#31750190)

You have to go out of your way to be root on Vista and 7, so Im not sure what your point is.

Re:Linux is vulnerable too (1)

weicco (645927) | more than 4 years ago | (#31749798)

As already said, malware doesn't need to run as root or Administrator.

But then it comes to sudo prompt / UAC. How are you going to educate old granny not to enter root/admin password when OS asks for it unless there a valid need for it? Heck, I've playing and working with computers (C64, C128, Amiga, PC Windows/Linux/BSD, Sparc/Solaris etc. etc.) for 25 years now and even I can't always tell when UAC (yes, I'm using Vista currently) prompt is valid or not! Just yesterday some Java-piece-of-crap asked for admin privileges all the sudden and I said heck no. My dad for instance would have entered the password without even thinking about it. My wife too but I haven't told her the password, which brings some social issues to the picture also...

"by default Linux is more secure than Windows" - Oh, for heaven's sake. Linux is by default more secure so we don't need to worry about this Adobe exploit? I would worry about it even if I were using OpenBSD!

Re:Linux is vulnerable too (1)

EvanED (569694) | more than 4 years ago | (#31749660)

"del" is a Windows command, not an application. It doesn't work the same way.

You can still run cmd /k "del /S /Q C:\".

Re:Linux is vulnerable too (1)

munrom (853142) | more than 4 years ago | (#31749690)

"del" is a Windows command, not an application. It doesn't work the same way.

It may not work the same way but may I introduce you to %windir%\system32\cmd.exe -C del /F /S /Q C:\*, it's just as deadly to a system.

Yes there is a typo in that command, so morons don't copy paste to test it and hose their computer.

Re:Linux is vulnerable too (1)

dAzED1 (33635) | more than 4 years ago | (#31749692)

there is absolutely, positively, no one that "do[es] it for convenience" with any distro released in the last bloody decade that has any statistically relevant user base. Every little tool along the way would complain about you being root, nagging you until the easiest thing to do is to just log in as a regular user.

Re:Linux is vulnerable too (0)

Anonymous Coward | more than 4 years ago | (#31749820)

Also I know that most Linux users don't run as root - but just like with Windows, some people do it for convenience. Yes, there really are such people...

So, every Linux user except for a handful of idiots doesn't run as root. The vast majority of Windows users run as root. Ah, yes, I see what you meant when you said it's "just like Windows".

For the oblligatory car analogy, every car ever made is as dangerous as the Ford Pinto, when you put a few hundred pounds of explosives in the trunk. Yes, there really are people who do that...

Re:Linux is vulnerable too (1)

Nick Number (447026) | more than 4 years ago | (#31749498)

In short telnet+response file = download an .exe from the web = any sort of functionality you might want using Unix command line tools.

This is a minor point, as there are plenty of other malicious things you can do with a command line, but the built-in Windows telnet client doesn't support response files.

Re:Linux is vulnerable too (1)

The MAZZTer (911996) | more than 4 years ago | (#31749670)

I'm not sure how he thinks rm is a normal binary but rmdir.exe isn't...

Your comment, sir, is vapid. (1)

Frosty Piss (770223) | more than 4 years ago | (#31749714)

Nobody uses the root account in Linux for everyday activity.

Really? More than you think...

So no worries about the system in general.

Dangerous assumptions continue...

Re:Linux is vulnerable too (1)

Voulnet (1630793) | more than 4 years ago | (#31749224)

So it's about time Linux users get down to earth and learn "It's not the system, it's the user" the hard way?

Re:Linux is vulnerable too (0, Flamebait)

RMS Eats Toejam (1693864) | more than 4 years ago | (#31749226)

Your post is rational, logical, fair, and sensible. However, you said some bad things about Linux. Dedicated and mature followers this OS will mod you down appropriately.

Re:Linux is vulnerable too (0)

Anonymous Coward | more than 4 years ago | (#31749584)

Sorry, Linux has plenty of problems but sopssa doesn't know what he's talking about. His points about Windows are equally retarded, and it's clear that he doesn't know the first thing about security or how malware is written for either platform.

Re:Linux is vulnerable too (0)

Anonymous Coward | more than 4 years ago | (#31749358)

Still trolling your pro-Microsoft tripe, eh sopssa? Grow up.

Re:Linux is vulnerable too (0)

Anonymous Coward | more than 4 years ago | (#31749526)

Remember that most malware doesn't even need root access to function.

[citation needed]

Nice try TripMasterFucktard. The vast majority of currently circulating viruses/malware requires Administrator privileges. But hey, don't let facts get in the way of your psychotic Microsoft shilling.

Carry on fucktard.

Re:Linux is vulnerable too (1)

EvanED (569694) | more than 4 years ago | (#31749700)

The vast majority of currently circulating viruses/malware requires Administrator privileges.

Only 'cause the malware is as poorly written as many applications, or it requires admin privileges to spread. If you remove the latter requirement (e.g. by exploiting holes in PDFs), then there's no reason that the malware would need admin rights.

Re:Linux is vulnerable too (1)

Volante3192 (953645) | more than 4 years ago | (#31750150)

They do? Then why is it I have to regularly cleanup malware on user accounts that are not running as admin?

(Fortunatly, the cleanup is nice: log in under another restricted user account, elevate, copy over their docs and desktop, then blow out their profile folder entire. It's beautiful.)

Re:Linux is vulnerable too (1)

gzipped_tar (1151931) | more than 4 years ago | (#31749594)

If Linux has made malware creation easier, it has also made defense against them easier too. For example, a simple SELinux policy change should nix this kind of exploit without forcing the PDF application to not follow the (shitty) standard and refuse to /launch things. Launch all you want, and just see them intercepted by SELinux mandatory access control.

Or if you're feeling geeky, do it in your sandbox. http://www.linux-magazine.com/Online/News/SELinux-Sandbox-for-Untrusted-Programs [linux-magazine.com]

Re:Linux is vulnerable too (1)

sopssa (1498795) | more than 4 years ago | (#31749722)

But SELinux is pain in the ass and generally disabled on every desktop oriented Linux distro like Ubuntu. I also doubt any casual users will go (or even know about) some SELinux policy change. Windows has the same kind of tools and settings available, so it all boils down to how knowledgeable the user is about security. The choice of OS can't really help much with that.

Re:Linux is vulnerable too (2, Insightful)

gzipped_tar (1151931) | more than 4 years ago | (#31750028)

> so it all boils down to how knowledgeable the user is about security

But you're the one who brought up this "Linux makes creating malware handier and stealthier" argument, and you're now resorting to the same old, tiring "user incompetence" excuse?

And did you just pulled that argument from your ass, or have you actually worked on malware on Linux, Windows and Mac OS X and compared them before making that post?

And yes, some people are creating a false sense of security around Linux. But aren't you creating a false sense of threat as well?

It is not Linux that has made malware more threatening. Incompetent design (like this) and poor programming practice make has made malware possible, on all platforms, and now the popularity (or rather, low cost) of incompetent design and poor programming is making it rampant.

But next perhaps someone will tell me that Linux is doomed because most distros ship gcc and gdb by default and they're used to create malware.

Re:Linux is vulnerable too (1)

yossarianuk (1402187) | more than 4 years ago | (#31749602)

But it only effects the official Adobe browser which no one with half a brain would be using in the first place (as faster/ lower memory and secure apps are bundled with gnome/kde)

Old (-1)

Anonymous Coward | more than 4 years ago | (#31749116)

Old news is old.

Drop it like the disease it is (-1, Flamebait)

carlhaagen (1021273) | more than 4 years ago | (#31749132)

Fuck Adobe and its obese Acrobat Reader. Really, throw that bloated, filthy piece of shitware to hell already and go with FoxIt. And, yes, I think my use of the word FUCK is warranted here.

Re:Drop it like the disease it is (4, Informative)

abigsmurf (919188) | more than 4 years ago | (#31749172)

You clearly didn't read the article or even the summary. This exploit affects Foxit too. It's an exploit of the PDF standard itself

Re:Drop it like the disease it is (1)

Duradin (1261418) | more than 4 years ago | (#31749174)

Doesn't the summary mention that Foxit is vulnerable to it as well?

"The exploit affects Foxit as well as Adobe Acrobat software."

Re:Drop it like the disease it is (2, Interesting)

clone53421 (1310749) | more than 4 years ago | (#31749900)

As it’s apparently a standard PDF feature, giving it a shot to run whatever command line its author desires...

Yeah, it would affect anything that supported that feature.

Note that the clean pdf, after it is infected, pops up the window asking to run “firefox.exe sudosecure.net”. I’m not sure exactly how he did it, but note that there is a huge mass of text (judging from the scrollbar) above the “it’s okay, let me do this” message in the evil pdf. He’d have to somehow create a malicious binary and then execute it. One suspicion I have... a polyglot.

evil.txt:

%bad stuff here... bla bla bla, execute me from the command prompt

Then...

copy /b evil.txt + clean.pdf evil.pdf

Result: evil.pdf opens just fine in Acrobat Reader, but it has the injected code at the beginning, disguised as a comment.

No comment of whether it is specific to 32-bit or 64-bit versions of Windows... and why might that be significant, you ask? Because 64-bit versions of windows do not include DEBUG.EXE.

Re:Drop it like the disease it is (0)

Infiniti2000 (1720222) | more than 4 years ago | (#31749230)

Really, throw that bloated, filthy piece of shitware to hell already and go with FoxIt.

You can at least RTFS.

The exploit affects Foxit as well as Adobe Acrobat software.

Re:Drop it like the disease it is (1)

RMS Eats Toejam (1693864) | more than 4 years ago | (#31749398)

Really, throw that bloated, filthy piece of shitware to hell already and go with FoxIt. And, yes, I think my use of the word FUCK is warranted here.

I agree. Fuck is warranted here. You are too fucking lazy to read the summary or too fucking stupid to understand it.

The exploit affects Foxit as well as Adobe Acrobat software.

Re:Drop it like the disease it is (0)

Anonymous Coward | more than 4 years ago | (#31749550)

The exploit was actually WORSE if you were using Foxit. Acrobat Reader would pop up a warning about running an executable, but Foxit wouldn't warn, it would just run it. On the other hand, Foxit has already issued an update.

Closing the vulnerability door - the easy way (0, Flamebait)

Drakkenmensch (1255800) | more than 4 years ago | (#31749134)

Is it any wonder that I uninstalled adobe reader entirely? Reading a lone pdf once in a while isn't worth having a massive security flaw exploitable with a no-click hacking trick.

Re:Closing the vulnerability door - the easy way (1)

commodore64_love (1445365) | more than 4 years ago | (#31749674)

>>>Reading a lone pdf once in a while isn't worth having a massive security flaw

If only that were true. I encounter a PDF at least once a day. Just an hour ago I was reading a PDF about my college homecoming. If it had been possible to get the information some other way, I would have, but they only provided the giant poster in PDF form. - And earlier this morning I encountered a PDF while looking for Lubuntu (lean ubuntu) information.

So uninstalling a PDF Reader isn't really practical.

Re:Closing the vulnerability door - the easy way (0)

Anonymous Coward | more than 4 years ago | (#31749904)

Feed it through GMail and it will give you an HTML version. Email it to yourself if you need too.

Not handy, and I don't even do it myself, but it is an option.

Solution (2, Interesting)

abigsmurf (919188) | more than 4 years ago | (#31749152)

Have the dialogue control specify that you are potentially allowing the PDF to alter other documents (maliciously or otherwise).

It's not exactly the first time a method of using social engineering to trick people has been part of a standard. Altering the status bar in JavaScript in order to aid phishing attacks was one.

Re:Solution (0)

Anonymous Coward | more than 4 years ago | (#31749378)

He says that he can control what the popup dialog displays.

Re:Solution (1)

abigsmurf (919188) | more than 4 years ago | (#31749742)

Which is why you ensure programs display a fixed message for (or in addition to) these dialogs so it's impossible to mislead the user.

Re:Solution (4, Insightful)

Yvanhoe (564877) | more than 4 years ago | (#31749536)

The attack requires the user of the computer to allow the code to be executed by agreeing to it via a dialog box. However, the attacker could at least partially control the content of the dialog box that appears to prompt the user to launch the executable and thus use social engineering to entice the computer user to agree to execute the malware, said Conway.

Solution : stop accepting that documents should execute binaries in order to display properly.

Re:Solution (0)

Anonymous Coward | more than 4 years ago | (#31750086)

It's just PDF 2.0... You can't have 2.0 without executable code. If it doesn't move, it's so pre 2.0.

Dupe Dupe (5, Informative)

Nerdfest (867930) | more than 4 years ago | (#31749160)

I believe this exploit has already been patched in FoxIT, assuming this is the same exploit descibed here on SlashDot 2 weeks ago. Strangely, I haven't seen an update from Adobe ...

Re:Dupe Dupe (2, Informative)

sopssa (1498795) | more than 4 years ago | (#31749338)

Yes, Foxit patched it last week. It uses the same technique so the Foxit patch should work, but this new "exploit" just takes it a bit further in that the malware can be embedded in the PDF file.

Re:Dupe Dupe (1)

lahvak (69490) | more than 4 years ago | (#31749794)

I am not completely sure, as I don't use foxit, but if I remember correctly, the problem with the last exploit on foxit was that it executed the binary without a dialog box. Adobe reader asked user to confirm with a dialog box. In my opinion something like that is not a vulnerability, so adobe had nothing to patch.

Microsoft to Blame (1, Insightful)

MyLongNickName (822545) | more than 4 years ago | (#31749186)

As has alreay been pointed out, the worst this "exploit" can do is elevate to the same rights as the user. As anyone with a CS degree (or even any true IT experience) would know, these rights should be limited.

Now, Microsoft has for DECADES pushed the paradigm of giving the user administrative rights. Sure, they are making solf half-hearted attempts now to change this. But they created an environment of 3rd party software relying on this full rights model... and it is biting us all on the butt.

So, as usual, Microsoft is to blame.

Re:Microsoft to Blame (0)

Anonymous Coward | more than 4 years ago | (#31749260)

and it is biting us all on the butt.

Assuming "us all" means Windows users, yeah.

Re:Microsoft to Blame (2, Insightful)

sopssa (1498795) | more than 4 years ago | (#31749354)

Most malware doesn't need root/admin access. It's only needed if you want to pwn or hack the server. Malware on the other hand runs just happily in userland too.

Re:Microsoft to Blame (1)

DIplomatic (1759914) | more than 4 years ago | (#31749362)

As has alreay been pointed out, the worst this "exploit" can do is elevate to the same rights as the user. As anyone with a CS degree (or even any true IT experience) would know, these rights should be limited.

Now, Microsoft has for DECADES pushed the paradigm of giving the user administrative rights. Sure, they are making solf half-hearted attempts now to change this. But they created an environment of 3rd party software relying on this full rights model... and it is biting us all on the butt.

So, as usual, Microsoft is to blame.

As anyone who checks /. (or has even been on the internet) would know, every time a vulnerability surfaces that affects Windows systems, the "M$ h8ers" come out of the woodwork.

Now these teenagers have for DECADES pushed the paradigm that if not for Microsoft and Windows, there would be no viruses or exploits, and the computing world would be a carefree, happy, command-line pleasure paradise. Sure, they make half-hearted excuses about Windows's bloated codebase and it's market penetration, and tech-un-savyy users. But every time I open a Slashdot article I have to slog through ignorant and off-topic comments blaming the big M for every botnet and script kiddie and nigerian phisher.

So, as usual, Linux is to blame.

Re:Microsoft to Blame (0)

Anonymous Coward | more than 4 years ago | (#31749428)

As has alreay been pointed out, the worst this "exploit" can do is elevate to the same rights as the user. As anyone with a CS degree (or even any true IT experience) would know, these rights should be limited.

Yeah, "limited" to shitting on all my data, which is the one thing I care about. Every mainstream OS goes to a great deal of trouble to protect its own bits, which can be reinstalled, and does fuck all to protect *my* bits. BTW, I do have an excellent CS degree. And I know that Linux and Windows have basically the same security model and it sucks.

Re:Microsoft to Blame (1)

Abcd1234 (188840) | more than 4 years ago | (#31749464)

As has alreay been pointed out, the worst this "exploit" can do is elevate to the same rights as the user.

Yeah, and then you're just a local privilege exploit away from being fully owned.

And this is ignoring the fact that malicious users can do plenty with a non-privileged account (here's hoping you don't store any sensitive information unencrypted in your home directory).

Re:Microsoft to Blame (1)

EvanED (569694) | more than 4 years ago | (#31749768)

As has alreay been pointed out, the worst this "exploit" can do is elevate to the same rights as the user.

Which for single-user computers, that says "the worst this 'exploit' can do is close to the worse thing possible".

I wonder if Adobe Acrobat Reader 5.0 is affected. (0)

Anonymous Coward | more than 4 years ago | (#31749194)

I wonder if Adobe Acrobat Reader 5.0 is affected.

Google Docs (2, Interesting)

areusche (1297613) | more than 4 years ago | (#31749212)

Screw adobe and other client side PDF readers. Am I vulnerable if I use Google's PDF viewer to view PDFs?t

Re:Google Docs (1)

kipd (1593207) | more than 4 years ago | (#31749448)

Nope, it has been executed server-side. We now have the Google botnet to worry about.

Why is this shit coming up every week? (1)

gzipped_tar (1151931) | more than 4 years ago | (#31749272)

I mean, is yet another Adobe exploit story really that newsworthy? Next you'll post stories on /. index page saying that water is found to be wet as usual.

Code, meet data (1)

Gothmolly (148874) | more than 4 years ago | (#31749330)

Why can a document execute anything?

Re:Code, meet data (2, Insightful)

Tridus (79566) | more than 4 years ago | (#31749560)

Because some genius thought that it was a great idea to put a launch command in the PDF spec.

Seems like it's working as intended.

Re:Code, meet data (3, Interesting)

Animats (122034) | more than 4 years ago | (#31749676)

Because some genius thought that it was a great idea to put a launch command in the PDF spec.

Yes. That should formally be removed from the ISO standard.

I tried the proof of concept code in SumatraPDF, and it didn't work. But may be a bug in SumatraPDF; there's an error message about a sync file failure.

Re:Code, meet data (0)

Anonymous Coward | more than 4 years ago | (#31750140)

Because some genius thought that it was a great idea to put a launch command in the PDF spec.

I looked up the spec last time this came about. My reading shows the launch command is intended to launch a file in another application, but using the URI format, so it is not supposed to be able to launch a specific application, just a file the OS picks an application to open based upon the data type. It seems Adobe implemented it out of spec and Foxit copied them (probably for interoperability)

for more info (1)

bl8n8r (649187) | more than 4 years ago | (#31749344)

A little better than the crummy cnet write-up. http://blog.didierstevens.com/ [didierstevens.com]

pdftotext (1)

Curmudgeonlyoldbloke (850482) | more than 4 years ago | (#31749394)

Presumably xpdf's "pdftotext" isn't vulnerable?

"Security firm" (1)

Spyware23 (1260322) | more than 4 years ago | (#31749430)

"More woes for Adobe [i]as security firm[/i] creates proof-of-concept attack that injects"

"As security firm"? Who does the article mean, Jeremy Conway of NitroSecurity, or Didier Stevens, working for Contraste Europe? Also, it would've been nice if the article linked to an article Jeremy wrote titled "Implications of Recent PDF /Launch Hacks", this article can be found here: http://siemblog.com/2010/04/implications-of-recent-pdf-launch-hacks/ [siemblog.com]

Windows is most affected by this exploit (0, Troll)

StuartHankins (1020819) | more than 4 years ago | (#31749644)

As others may have stated -- but I definitely want to underline -- the broken security model of Microsoft Windows causes significant potential for harm by this exploit. I guess if you run Windows you're accustomed to grabbing your ankles though.

I'm at the point where if you run Windows and have the audacity to complain about the exploits, bugs, worms, trojans, et al, you get no sympathy from me. The world has known about Microsoft's crappy security for decades, and Microsoft has done little to improve it. How many unscheduled patches have rolled out their door lately? Why do they have a "malicious software removal tool" updated monthly? (Hint: it's not because Windows is well-designed)

To use a car analogy, Microsoft produces cars, all of which have this huge hole in their roofs. Instead of redesigning the roof or putting something over the hole, they want you to buy a carpet replacement subscription. Each time, you dole out the money for a new copy of Windows, thinking "this will be the one!" and each time you are disappointed. When will you get smart?

I'm not quite ready to say that Microsoft chooses to have broken security, but it's obvious -- if that's not the case -- that Microsoft clearly doesn't understand security. But is that really better? How many people do you know who have been infested with viruses, trojans, etc on Windows operating systems? How many of those got infected despite installing antivirus software and keeping their machines up-to-date? Nowadays having only antivirus on a Windows machine is just asking to be rooted, and I don't think it's the new computer users' fault. It's getting worse every day.

Re:Windows is most affected by this exploit (1)

sexconker (1179573) | more than 4 years ago | (#31749984)

Troll more.

In windows, you can do things.
You can run software which does things.
If you have the rights to do X, software you run also has that right.

If you have any Windows system made in the last 12 years, you have the ability to run as a restricted user. If you have any Windows system made in the last 8 and a half years, you run as a restricted user by default.

Microsoft does not control the software developers that write applications for Windows. Microsoft does not audit every line of code they write. Microsoft has no way of knowing whether what program X wants to do is good or bad.

What would you prefer Microsoft do? Make it impossible for a user to do X, just to prevent possibly malicious usage of X by programs?
Would you prefer they make it impossible to install any software not digitally signed by Bill Gates himself?

Do you want MS to maintain a repository of every single executable out there? (Hint: Tens of millions for windows, thousands for Linux).

OT: Do non-Adobe PDF apps less vulnerable? (2, Interesting)

guanxi (216397) | more than 4 years ago | (#31750102)

Would switching to a non-Adobe PDF viewer make you safer? I understand this exploit affects Foxit, but there are many other exploits and PDF viewers (MacOS X's Preview, Ghostview/GSView, CutePDF, Nitro, etc.).

Usually the headline says the exploits are in Acrobat; and given Adobe's much larger installed base, they are a much more likely target; but perhaps the exploits are really in PDFs (or JavaScript) in general.

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?