Forgot your password?
typodupeerror
Security IT

Rogue PDFs Behind 80% of Exploits In Q4 '09 189

Posted by CmdrTaco
from the imagine-if-pdf-was-an-open-format dept.
CWmike writes "Just hours before Adobe is slated to deliver the latest patches for its popular PDF viewer, ScanSafe announced that by its counting, malicious Adobe Reader documents made up 80% of all exploits at the end of 2009. In the first quarter of 2009, malicious PDF files made up 56% of all exploits tracked by ScanSafe. That figure climbed above 60% in the second quarter, over 70% in the third and finished at 80% in the fourth quarter. Mary Landesman, a ScanSafe senior security researcher, said, 'Attackers are choosing PDFs for a reason. It's not random. They're establishing a preference for Reader exploits.' Exactly why hackers choose Adobe as their prime target is tougher to divine, however. 'Perhaps they are more successful,' she said. 'Or maybe it's because criminal attackers are human, too. We respond when we see a lot of people going after a particular product... We all want to go after that product, too. In the attacker arena, they might be thinking, 'Gee, all these reports of Adobe Reader zero-days, maybe I should get in on them too.'"
This discussion has been archived. No new comments can be posted.

Rogue PDFs Behind 80% of Exploits In Q4 '09

Comments Filter:
  • by TubeSteak (669689) on Wednesday February 17, 2010 @10:40AM (#31168848) Journal

    How much danger am I in once javascript is turned off for Adobe's pdf reader?

    • by toleraen (831634) on Wednesday February 17, 2010 @10:58AM (#31169162)
      That and disabling browser integration generally mitigates the issue. That is until they figure out a way to force Reader to use javascript regardless of your setting...
      • Disabling browser integration will not disable javascript in Reader... (in fact many of these exploits will operate normally in the stand-alone product).

        The only real risk of disabling javascript in Reader/Acrobat is that if you try to use any form that has any logic in it - it will of course not work.

        • by toleraen (831634)
          Err, hence I said "That and disabling browser integration" in response to the OP's question.

          There's no risk in disabling it. If you download a form that requires it Reader will prompt you and ask if you want to enable JavaScript for that particular PDF. If it's from a trusted source, go ahead and allow it. I've seen plenty of PDFs prompt for Javascript access and when denied seem to have no negative impact. Forms are about the only type I've seen that are impacted.
    • by Krneki (1192201)
      Never, ever install the PDF plug-in, for any browser. They are slow as hell and open up security issues. Always open PDF files with a stand alone program and for added security make sure it ain't Adobe.
  • by Monoman (8745) on Wednesday February 17, 2010 @10:47AM (#31168966) Homepage

    Is the problem with the Adobe Reader program itself or the file format? Do third party PDF readers have the same security issues?

  • Me too? NOT (Score:5, Interesting)

    by ratboy666 (104074) <fred_weigel&hotmail,com> on Wednesday February 17, 2010 @10:48AM (#31168994) Homepage Journal

    The reason for the PDF preference is not "me too". It is, simply, the best current trojan delivery vehicle. I send my CV in PDF format, most of the documents that I deal with are in PDF format.

    And I have no way of telling if opening a particular PDF in a particular reader will cause an exploit.

    Most users/blockers will not allow EXEs, and can open "ZIP" files to determine if an EXE is enclosed. Microsoft Word has been "hardened". The exploits are going for the weakest part -- output that is in a universal format and is commonly shared. That just happens to have one reader that has most of the market share.

    Which means that I will continue to use "Evince" and hope that it won't be targeted soon.

    • by Trepidity (597) <delirium-slashdot@h a c k i sh.org> on Wednesday February 17, 2010 @10:52AM (#31169050)

      It is, simply, the best current trojan delivery vehicle. I send my CV in PDF format

      That is also my reason for choosing this fine document format for my CV.

    • Re:Me too? NOT (Score:5, Insightful)

      by gad_zuki! (70830) on Wednesday February 17, 2010 @10:59AM (#31169170)

      Adobe reader's web plugin simply opens PDFs without any warning. Nor does it warn if there is javascript running on the PDF. Its a cracker's dream. Most other applications give some kind of warning, especially if there's something scripted in the document. Adobe does none of this. Heck, you can disable Javascript but it will helpfully remind you that its disabled and offer to unblock it if you attempt to open a pdf with javascript. Its really an incredibly terrible way to handle security.

      This thing should at least be shipping with js disabled and the only way to enable it is by going into Preferences. The web plugin should be retired and just force the pdf to open in the full reader. One can dream, right?

      • Re:Me too? NOT (Score:4, Insightful)

        by LenE (29922) on Wednesday February 17, 2010 @12:13PM (#31170486) Homepage

        Worse yet, instead of warning you that a PDF is about to execute JavaScript code, Adobe Reader actively and repeatedly harasses you if you turn off JavaScript, telling you that it won't work properly. This, even if the PDF you are viewing contains no JavaScript whatsoever.

        Instead of bothering you when you do something dangerous, it bothers and encourages you to let it behave insecurely. Adobe has become the new Microsoft, with respect to hindering user security.

        -- Len

        • Re:Me too? NOT (Score:4, Informative)

          by Skuld-Chan (302449) on Wednesday February 17, 2010 @12:54PM (#31171268)

          Worse yet, instead of warning you that a PDF is about to execute JavaScript code, Adobe Reader actively and repeatedly harasses you if you turn off JavaScript, telling you that it won't work properly. This, even if the PDF you are viewing contains no JavaScript whatsoever.

          Hrm tested this in 9 - it only complains with Javascript disabled that the PDF contains some elements that might not be displayed properly because of the preference, and ONLY IF you open a PDF with Javascript in it.

          Static PDF files it does not display any warning if JS is off.

          • by Spit (23158)

            That's even worse; user opens the malware PDF which contains JS, Adobe reader moans that JS is diabled and the document is screwed without it, user enables JS. Very poor.

      • Interestingly enough - in my days at Adobe doing Tier 3 support - the exploit PDF's I'd get from various sources internally were hard to move around the network because virus scanners would delete or clean them up.

        I found this rather surprising many times because these scanners would do this to files that were zero day exploits and files that weren't yet disclosed to the public.

        Also if your installing reader to your enterprise you can disable browser integration, javascript and a myriad of other features ou

      • This US-CERT vulnerability note has details for steps for making Adobe Reader safe to use:
        http://www.kb.cert.org/vuls/id/508357 [cert.org]

        As you mentioned, disabling JavaScript helps. But you can also prevent PDFs from opening automatically with the plug-in, and also prevent them from opening automatically with the stand-alone reader. There are some other mitigations there as well.

        Of course, this all requires manual configuration. There is no hope for the average home user.

    • Re:Me too? NOT (Score:5, Insightful)

      by nine-times (778537) <nine.times@gmail.com> on Wednesday February 17, 2010 @11:26AM (#31169640) Homepage

      Most users/blockers will not allow EXEs, and can open "ZIP" files to determine if an EXE is enclosed.

      And IMO this is exactly why everyone should be wary of putting scripting languages into documents. We have a well-established convention of distinguishing "documents" from "applications"; "documents" are passive collections of information, whereas "applications" do stuff.

      We block applications and scripts because they do stuff and we can't easily know what it is that they do, but we don't block documents because, in theory, they can't do anything. Loading a document in its proper viewer application shouldn't do anything that the viewer wasn't explicitly designed to do. If you throw scripting applications and macros into the documents, then suddenly the "documents" do stuff too. This, in my opinion, is bad.

      • If you write a script for Word to do something that would normally take a thousand mouse clicks to do - why is that bad?

        If you have a browser form that has a script to submit to a server and valid the form fields while doing so - why is that bad?

        • by jbengt (874751)

          If you write a script for Word to do something that would normally take a thousand mouse clicks to do - why is that bad?

          It's not bad to run a useful and benign macro that you wrote youself.
          What's bad is that in a botnet's hands VBA has access to the entire computer, and not just to the document or its' folder. (yes, I know that there have been some improvements in that regard, but that depends more on the OS & application settings than on inherent VBA limitations)

        • Re: (Score:3, Insightful)

          by nine-times (778537)

          Just to be clear: I have no problem with macros. I have no problem with scripts. If you want to write a macro in Word that will make your workflow easier and faster, I think that's great. I think it's great that Microsoft had the forethought to include support for scripting in MS Office.

          What I object to is embedding macros in Word documents. I think this is dangerous design. If you want to write your own macro and store it on your computer, then you shouldn't need to embed it in the document itself.

      • by pclminion (145572)

        Believing any document format to be "inert" is a fallacy. All data must be somehow interpreted by the computer in order to be useful -- a pile of bits on a hard drive is not useful to any human. Whether there are exploitable flaws in the software which interprets the data is only loosely related to the data itself. There have been exploitable bugs in everything from PDF readers to MIME decoders to MP3 players. Obviously, deliberately embedding a scripting language into a document format does not help matter

        • ...but don't confuse yourself into believing that some document formats are inherently safer than others. The vulnerability is fundamentally in the software, not the document.

          I'm not the one confusing things. First, of course it's not the format itself, but what's interpreting the file. Text files are pretty harmless all by themselves, but I don't go sending arbitrary text files to be interpreted by bash. Likewise, it's not the inclusion of javascript in PDFs that's a problem, but rather the fact that PDF viewers interpret that javascript creates a great opportunity for malicious code.

          And yes, theoretically, if a viewer has exploitable flaws, then you can exploit them. I'm

        • All data must be somehow interpreted by the computer in order to be useful

          It's not a question of code being run, it's a question of attack surface. A properly-designed document format that does few things can be interpreted by simpler code, and thus is less likely to be exploitable for attacks. PDFs should be proof of this rule by now, given how much of a monstrosity both the spec and Adobe reader are at this point. See also javascript vulnerabilities in browsers.

      • by inviolet (797804)

        And IMO this is exactly why everyone should be wary of putting scripting languages into documents. We have a well-established convention of distinguishing "documents" from "applications"; "documents" are passive collections of information, whereas "applications" do stuff.

        You are making the "keep the code separate from the data!" argument. You forget the one place in every application where code and data intermingle: the stack.

        There is no getting around the stack. It is itself data about what code to exec

    • Re: (Score:3, Insightful)

      Why does a document viewer need to run code (javascript of whatever)

      99.99% of people use it to display and/or print static documents .... it's only that Adobe keep extending it to do thing outside this ....

      The core view a PDF is fairly bug free and exploit free it is the extensions that are buggy and vunerable ....

  • by nstrom (152310) on Wednesday February 17, 2010 @10:52AM (#31169046)

    Attacking Adobe Reader means that people who use Firefox are also at risk. For a long while, the popular security paradigm on Windows was that if you used IE you were at risk, but if you kept up with Windows Update and used only Firefox to browse the web you were pretty much safe from the majority of the exploits in the wild. Now that malicious PDFs are out there in force, users of Firefox are vulnerable once again.

  • one already can't send pdf attachments or even links to pdf to customers without risk of mail being deleted or lost in spam folder.
  • by BlueParrot (965239) on Wednesday February 17, 2010 @10:52AM (#31169058)

    a) Configure your web browser so it asks you to download pdf files instead of opening them automatically.

    b) Use an alternative PDF reader/viewer.

  • by msauve (701917)
    Probably because, based on UI, speed, size, sheer awkwardness and oddball behavior (does it still act like you're doing a reinstall when you change a config option?), Acrobat consists mostly of unmaintainable spaghetti code - leaving it full of potential exploits.
  • So, as I understand it, this article (and the referenced report) refer to code, not the total number of infections/attacks. It would be useful to know (1) how many computers are affected by PDF attacks, and (2) how many PDFs out there are compromised.
  • by mspohr (589790) on Wednesday February 17, 2010 @11:03AM (#31169248)
    I run Linux and Mac and people keep telling me that I am missing out on all this great software... so I want to know if I can run these neat new "Rogue PDFs".
  • by Coopjust (872796) on Wednesday February 17, 2010 @11:07AM (#31169318)
    (Note: Trying not to slashvertise, just sharing some info about a program that's helped me stay secure. I have no affiliation with Secunia, I just like the tool a lot.)

    I scan with Secunia's (a Danish computer security company) freeware tool [secunia.com] to check if I have insecure applications.

    3 times out of 4, when something has a category 4 or category 5 exploit (e.x. click2own), it's Adobe Flash Player, Shockwave, AIR, Reader/Acrobat, etc.

    It's also interesting because it tells you if your browsers are insecure (due to plugins or the browser itself). Both IE8 and Chrome are insecure in current versions with all patches.

    It was pretty eye opening for me, because I thought that I kept secure, but I had 20 insecure applications when I first got the scanner. I'm always skeptical about getting stuff for free, but I imagine that Secunia uses the data to improve the accuracy of their business software.

    To return to the story topic... when possible, use Adobe alternatives (e.x. Sumatra instead of Adobe Reader) and check your flash player and shockwave player versions at least once a week.

    Firefox Users can use Mozilla's plugin check [mozilla.com].

    One more thing in my diatribe...recent versions of the Shockwave Player don't update correctly. I installed the latest version to fix a couple critical vulnerabilities only to find out that it wouldn't reomve the vulnerable files from my system directory. I had to download the Shockwave uninstaller, reboot my PC, reinstall shockwave, and reboot again. I felt like I was back on Windows 9x again.
    • Re: (Score:3, Informative)

      by fishbulb- (81857)

      I opened the Advanced interface of Secunia PSI, the program overview says:
      'Cannot display graph, as Adobe Flash Player does not appear to be installed in Internet Explorer on your computer...' then provides a link to install it.

      I feel betrayed.

      • by Coopjust (872796)
        I wasn't even aware that the PSI used the Trident rendering engine. I thought for sure they'd use Gecko or WebKit.
        The more you know, I suppose.
        The tool works very well though- it warns me about having insecure versions of GTK, for instance.
      • by Sporkinum (655143)

        That irritated the hell out me too! Especially since flash is a pain in the ass to update. You may install a new one, but old cruft is left behind that can be difficult to remove sometimes. Other than the flash issue, Secunia PSI is excellent.

    • by sleeper0 (319432)
      Thanks for the secunia pointer, seems like just the type of thing I've been wanting.
  • by asdf7890 (1518587) on Wednesday February 17, 2010 @11:12AM (#31169386)

    In the attacker arena, they might be thinking, 'Gee, all these reports of Adobe Reader zero-days, maybe I should get in on them too.

    It isn't that. It is the fact that some of the holes took so long to have patches released, so people who don't read techie news (so didn't know to turn Javascript off in the case of those holes in that area) we vulnerable for some time even once the flaw was "publicly" known. This gave crackers time to throw together a "me too!" exploit for the same bug, and encouraged them to keep looking at the platform (if a hole, once found, stays open for some time then the effort is more worth it than looking for a hole on a platform where security patches are released in a more timely fashion).

    The other advantage of attacking Adobe's PDF reader is, as with Flash and other cross-browser plug-ins, one of target audience size. A successful attack may affect users of multiple browsers rather than, for example, just those who run a particular version of IE.

  • Not just Adobe (Score:4, Interesting)

    by bjackson1 (953136) on Wednesday February 17, 2010 @11:21AM (#31169550)

    I just got a trojan yesterday through a PDF, while using Foxit and running Windows 7 x64 in Firefox. I didn't think anything of allowing a website to execute a PDF file (I was not aware at the time that you could execute code through a PDF).

    The trojan downloaded quite a bit of malware onto my system that I spent last night cleaning from the registry. This is the first time I've gotten malware on my computer in years.

    • by Inda (580031)
      I'm not calling you a shill, Mr bjackson1, but we all know they lurk on Slashdot.

      Can anyone else confirm that Foxit has known security problems?
      • Can anyone else confirm that Foxit has known security problems?

        Sadly, yes [coresecurity.com]. Foxit isn't happy with just doing basic rendering on PDF's, but wants to be a more completely alternative to Adobe's Reader. This includes things like running PDF's scripting, and makes it harder to implement securely.

        I'm not saying a secure, full-featured PDF reader can't be made, so much as that you're a lot safer using a program that only does the basic rendering. Foxit doesn't fit the bill. It's also closed source >.>

        • by Inda (580031)
          Cheers. I didn't even know it handled JS before checking at home. JS is now off. Time to look for another reader.
    • by caluml (551744)

      running Windows 7 x64 in Firefox

      Wow, that's quite impressive! What OS was Firefox running on? Bonus points if it was Linux or Mac.

  • First flash is blamed for most application crashes on the Mac. Now PDFs are the number one vector for malicious code in Q4 '09. Hard month for Adobe?
  • by JakFrost (139885) on Wednesday February 17, 2010 @11:28AM (#31169676)

    I have noticed that while web browsing and even when using the currently latest Mozilla Firefox 3.5.7 or 3.6 with Ad-Block Plus and PDF Download add-ons installed I still would get hit with a web page that would automatically push a Adobe Reader PDF file to me and I would have it open automatically. That PDF would be just a page full of random words but when inspected in Adobe Acrobat in depth when you go into the Advanced \ Document Processing \ Edit All JavaScript... menu you immediately see a script inside the PDF that is launched upon opening that PDF. When I analyzed the script I saw calls strange calls to the execution functions and methods along with calls to write out encoded data from an array holding hexadecimal values to files.

    With the known exploits in Adobe Reader 9.0 versions and earlier it was easy for me to see why this product was used as a popular attack vector in the last few months for viruses to spread on the Internet.

    Luckily, I use my computer as an ordinary user and use Run As with User Account Control requesting a password for any administrative work and program installation I avoided being infected with these Trojan horse PDFs.

    Some of you might recommend using the Mozilla No Script add-in to block all scripts but the reality is that there is so much JavaScript code out there on the web that turning scripting off makes many web sites unusable since they've all be designed with this reliance on scripting for navigation.

    • Re: (Score:2, Informative)

      by maxume (22995)

      Uncheck "Preferences->Internet->Display in browser" and Acrobat will prompt you to save those files rather than automatically loading them (this will probably also render your downloading extension redundant).

    • Some of you might recommend using the Mozilla No Script add-in to block all scripts but the reality is that there is so much JavaScript code out there on the web that turning scripting off makes many web sites unusable since they've all be designed with this reliance on scripting for navigation.

      If I wanted to disable Javascript entirely, I'd do it in the browser preferences or options or whatever that is. The advantage of NoScript is that it does it selectively. Most sites I go to I've just activated pe

  • by bradley13 (1118935) on Wednesday February 17, 2010 @12:26PM (#31170694) Homepage

    As another poster pointed out: including scripting capabilities in "static" documents is just dumb. We've already been through this a few years ago, with people sending around Microsoft Office documents.

    Microsoft "fixed" this, in the sense that Office now warns you if a document contains scripting. Better, of course, is that many people have learned not to send or accept such documents in the first place. This was part of what made PDFs popular: a format to send documents that (a) cannot easily be changed and (b) is not a security risk. Millions of business documents are sent as PDFs just for these reasons.

    How stupid must Adobe be, to open themselves to this kind of attack. There should be no scripting in PDF documents. Alternatively - second best - scriptiing should be disabled by default, unless the user specifically authorizes it (as with Microsoft Office documents).

    Bad Adobe, no donut.

  • They target Adobe's PDF reader because it is extremely widespread, most users don't even realise PDF is a standard and that other readers exist... They think it's a proprietary format only supported by a single program.
    As a consequence, virtually every potential victim will be running exactly the same code, or a small subset of possible versions making them a very easy target.
    Also Adobe's software hasn't been attacked much before, and therefore is likely to have many more undiscovered bugs.

    This is also the

  • we can no longer wait while this threat emerges, it is time for us all to purchase ScanSafe(c) and renew contracts regularly and indefinitely to their fullest. may there be no further discussion of alternative readers, operating systems, or patches and repairs that could be made. This report clearly outlines the repercussions of using the PDF format in that it is an unholy vessel by which godless demons infest your small business and personal computer to rape the data within. Only through the glory of Sc
  • Acrobat is cross-platform, but this only affects Windows users in practice - because Mac users use Preview, and Unix users use something Xpdf/GhostScript-derived.

    Solution: FoxitPro. Now.

  • by Animats (122034) on Wednesday February 17, 2010 @02:25PM (#31173122) Homepage

    I've been using Sumatra PDF for the last year. It's rather clunky and uses too much memory on long documents, but it's adequate for most viewing.

    Its renderer is rather slow, though. And when you zoom, it renders the document first zoomed in X, then, seconds later, in Y as well. That's just stupid.

  • Exactly why hackers choose Adobe as their prime target is tougher to divine, however.

    Adobe Reader and Adobe Flash have as close to a 100% share of the desktop as makes no difference. The geek's dislike of these programs has had no more effect on their use than the phases of the moon or the rising and setting of the sun.

    The Complete National Geographic [amazon.com] on DVD was a runaway software best-seller during the Christmas shopping season. Adobe AIR powered, of course

    The Flash 10 Beta Player [for Windows] delivers

Whenever a system becomes completely defined, some damn fool discovers something which either abolishes the system or expands it beyond recognition.

Working...