Forgot your password?
typodupeerror
Security

No JavaScript Needed For New Adobe Exploits 187

Posted by CmdrTaco
from the this-will-end-badly dept.
bl8n8r writes "More woes for Adobe as a security firm creates a proof-of-concept attack that injects malicious code as part of the update process. The user only needs to click a dialog box to execute the code and no JavaScript is needed to launch the exploit. The exploit affects Foxit as well as Adobe Acrobat software. This exploit is made possible through the host software allowing execution of system binaries. Not clear if it's multi-platform, but seems plausible."
This discussion has been archived. No new comments can be posted.

No JavaScript Needed For New Adobe Exploits

Comments Filter:
  • by sopssa (1498795) * <sopssa@email.com> on Tuesday April 06, 2010 @11:52AM (#31749036) Journal

    Since it's part of the PDF specs, it should work in Linux too. What's even worse than with Windows is that since 'rm' is just a normal binary the PDF can launch that, and if you run as root privileges, just issue a command like "rm -rf /". If you don't run as root, then for example Ubuntu should give you the sudo box to input password to. This of course being just one of the examples it could do. Remember that most malware doesn't even need root access to function.

    Another reason why it would be even more serious on Linux is the way you can pipe commands and how most systems come pre-packaged with a ton of little utility apps. You can create the whole malware with a series of commands, or wget a bash script from the internet and start that to hide even more malware in the system. Since most Linux systems dont even have the kind of application firewalls or antiviruses that Windows does, and because the Internet accessing is actually done via wget, they don't even get any kind of a "Give internet access to this application?" dialog.

    It also doesn't help at all that most Linux users (especially those who are told so by the geeks!) believe that Linux cannot get malware. In my opinion this is a really stupid thing to do from those promoting Linux or Mac OS X as it will just lead to false sense of security.

    • Re: (Score:3, Interesting)

      by headkase (533448)
      Runs with the same privileges as the parent program. So it can kill my home folder, not "rm -rf /" And like every other security hole found so far it will be written out. Considering they all get written out the fair comparison would be comparing number and severity of vulnerabilities by platform. If it can't boot after a vulnerability is exploited or you can't remove it within 30 minutes then have it count doubly so.
      • by sopssa (1498795) * <sopssa@email.com> on Tuesday April 06, 2010 @12:03PM (#31749222) Journal

        If it can't boot after a vulnerability is exploited or you can't remove it within 30 minutes then have it count doubly so.

        The days when malwares purpose to trash the system to an unbootable state have been over for 15 years. Now a days you don't really even notice them being on your machine unless its one of those which show fake virus alerts. How would you notice if it just starts sending spam or sniffing your passwords?

        Another point is that you can fairly easily hide in a Linux system. If you absolutely need root access, there have been serious privilege escalation exploits over the years. Most of the Linux systems aren't even necessarily being patched consistently. I've seen one of these privilege exploits used on many hosting companies that usually keep their systems up to date and secure too. That beside the point that it's not usual that you even need root access.

        • by headkase (533448) on Tuesday April 06, 2010 @12:11PM (#31749324)
          Linux is a lot different than running as root all the time on Windows. My security updates are pushed to me as they are fixed, not even pushing up to a month of vulnerability to patch unlike some systems meant to make corporate IT admins happy. All popular Linux distributions have an updating function: you get your security patches and patches to everything else in your repositories a lot more consistently than Windows. To deny this shows unfamiliarity with Linux. Thats even before you get into functions like selinux and apparmor which happen to be standard on my flavor. For everyone. This is also an Adobe bug, and doesn't affect most Linux PDF readers as far as I'm aware and even if it did I'd have a lot more faith that the Linux ones would be rendered immune more globally than the hodgepodge of updating (or lack of) systems on Windows. You're pointing the finger at Linux and saying: "You're vulnerable too!" But in the practical real world it is a case of not.
          • Re: (Score:3, Insightful)

            by sopssa (1498795) *

            It's not an Adobe bug, it's a feature in the PDF specs that can be exploited with user stupidity. That's the point I've been trying to made, no OS unless it's completely locked down a la iPhone will protect you from user stupidity. Not Windows, not Linux, not BSD.

            Maybe Ubuntu pushes updates itself, but Debian, Fedora and CentOS doesn't. Not for me at least, and I haven't changed anything regarding that. If you want to update, you need to type in the yum update or apt-get update commands manually. And thats

            • by headkase (533448) on Tuesday April 06, 2010 @12:33PM (#31749694)
              KPDF (now Okular) [kde.org] has specifically forbidden this behavior forever because it is a security risk. I use Okular myself so I am not vulnerable to this issue. Since it has been known so long to be a security issue in Linux-land why has Adobe allowed it so long? XPDF also is not vulnerable to this issue and so on. So it appears to be a tempest in a tea-cup for Linux and just another day on Windows.
              • Re: (Score:2, Insightful)

                by sopssa (1498795) *

                Xpdf and Okular on Windows aren't vulnerable either.
                Adobe PDF Reader on Linux is vulnerable.

                This goes to show that it doesn't matter which the OS is, as it's mostly about software or user stupidity. Windows and Linux are on par in this, neither one is better than the another. There is SELinux for Linux which can mitigate the issue, but there are such tools and settings for Windows too. Not that any casual user will put up with those in either system.

                • by headkase (533448)
                  To say that Windows and Linux are on par for security borders on incredulous.
                  • Re: (Score:3, Insightful)

                    by Mister Whirly (964219)
                    To pretend that one OS is inherently superior in security over another also borders on incredulous. Anytime a specific OS is mentioned in a security discussion, that person has lost the discussion, and does not understand the entire concept of security. Security isn't software. Security isn't an operating system. Security is a set of practices and policies that apply to all software and operating systems regardless of what specific type they are.
                    • by vegiVamp (518171)
                      I fully agree, and had I modpoints I'd simply add a +1 insightful to your score.

                      Since I haven't, though, I'd like to point out that while it is true that you can't simply equate security with a piece of software, you *can* compare how well two teams of developers (try to) adhere to those practices and policies.

                      I have a feeling that Linus and the people who verify kernel patches have a better track record in that than the people at Microsoft who decide that a given feature WILL BE in the next release, regard
                • by chrb (1083577)

                  Adobe PDF Reader on Linux is vulnerable.

                  I never understood why people bothered with Acrobat Reader on Linux - KPDF/Okular has been smaller, faster and nicer looking for years, and it integrates better with the KDE desktop. I'd imagine the same it true of whatever Gnome uses?

              • "We kpdf developers want to add it, but kde core developers won't allow it.

                [...]

                So unless you can convince the non believers you are not going to get that feature, sorry :-/"

                Good quote from the discussion. That's how (many) people view disabling features for security reasons. The developers get to be called "non believers". How do you tell these users how bad the feature they want is? And these are geeks posting bugs, and developers, not average Joes. The average Joe might even refuse to use the more secure

            • by Kitkoan (1719118)

              no OS unless it's completely locked down a la iPhone will protect you from user stupidity.

              It's not alway user stupidity, just how the system is designed. Even a closed system like the iPhone [sophos.com] can be hacked by a third party without access to the computer itself. This exploit effected all smartphones, granted only iPhone's didn't get patched against it until 48 hours after the information about it went public.But it showed that it was possible, even given it's locked down nature.

            • That's the point I've been trying to made, no OS unless it's completely locked down a la iPhone will protect you from user stupidity. Not Windows, not Linux, not BSD.

              Tha'ts not the point you were trying to make in your OP. The point you were trying to make in your OP was that the exploit is worse in Linux than in Windows. I quote>

              Since it's part of the PDF specs, it should work in Linux too. What's even worse than with Windows is that...

              Another reason why it would be even more serious on Linux is the

          • Re: (Score:2, Insightful)

            You don't run as administrator in Windows anymore, either. Security updates are likewise pushed in windows. Windows has an updating function. Your statements all show unfamiliarity with Windows.

            This is not an Adobe bug, this is a vulnerability in the PDF spec. Readers not from Adobe have already been shown to be vulnerable.

            Linux is not immune, despite your specious claims.

            • by daveime (1253762)

              Why would any document markup language have an executable function at all ?

              And why, if this really is "part of the PDF spec", has every single PDF reader implemented this crazy functionality ?

              One time where "following standards" has fucked us all up I guess.

              • by afidel (530433)
                I'll give you a real world example of how this functionality is used. We used Adobe standard to export email from our Lotus Notes email system so that any legal records can be imported into our content management system, these archives are a complete copy of the email records including metadata and attachments stored within a PDF file. Clicking on an attachment in the archive opens the system default viewer for that file type. Turning this feature off would significantly reduce the functionality and user fr
            • by thsths (31372)

              > You don't run as administrator in Windows anymore, either.

              And how many software packages still work then? Even Firefox had serious trouble with the update function under non-admin accounts until very recently.

              > Security updates are likewise pushed in windows.

              Pulled, to be precise. Via an Active-X plugin, yuck.

              > Windows has an updating function.

              No, it does not. The update "function" is a web site that sets of 3 security warnings in IE8.

              > Your statements all show unfamiliarity with Windows.

              Ditto

          • Puppy Linux runs on root, so it would be vulnerable.

            >>>doesn't affect most Linux PDF readers as far as I'm aware

            Good point.

          • Linux is a lot different than running as root all the time on Windows.

            Let's say that there are no exploits to get root access on a Linux system. What can malware do with limited user account?

            rm -rf /home/user - would work, but useless
            sending spam - you don't need root access to send mail, do you?
            participating in a botnet - you don't need root access to open a port and give shell to whoever is connecting.
            searching user files for valuable information - would work

            I don't know if a keylogger would work without root access.

            So, a trojan (malware pretending to be a legitimate app) o

        • by gmuslera (3436)
          Usually you don't use those linux servers on hosting companies as desktops where you run acrobat reader. And desktops/notebooks/etc are usually more frequently updated (both as using new distributions or with patches available in the case you prefer to stick with a non latest version).

          But anyway, you don't need root access to do most of what botnets/spambots do, with plain user access is bad enough. And targetted attacks could access most of what the user do without needing to go root neither.
    • by caffeinemessiah (918089) on Tuesday April 06, 2010 @12:03PM (#31749220) Journal
      Maybe you should actually, you know,...use Linux before you attempt to troll about security.

      What's even worse than with Windows is that since 'rm' is just a normal binary the PDF can launch that, and if you run as root privileges, just issue a command like "rm -rf /". If you don't run as root, then for example Ubuntu should give you the sudo box to input password to. This of course being just one of the examples it could do. Remember that most malware doesn't even need root access to function.

      Nobody uses the root account in Linux for everyday activity. In Ubuntu, root login is even disabled by default (you have to sudo). So no worries about the system in general. Although it's pretty devastating to issue a "rm -rf ~" to delete the user's home directory, it's on par with Windows. Then you say that most malware doesn't even need root access to function, but on all the millions of XP boxes out there, it's already given root access by default.

      Another reason why it would be even more serious on Linux is the way you can pipe commands and how most systems come pre-packaged with a ton of little utility apps. You can create the whole malware with a series of commands, or wget a bash script from the internet and start that to hide even more malware in the system.

      Windows has a pipe function too, in addition to being able to zoink your whole file system with a simple "del". It also comes with ftp and telnet, which are handy replacements for wget. In short telnet+response file = download an .exe from the web = any sort of functionality you might want using Unix command line tools.

      Your comment, sir, is vapid.

      • by Voulnet (1630793)
        No one is saying Linux is about as secure as XP, but the OP is saying that because of the spreading culture among many Linux users that there is no way they can get malware, this type of attack might easily fly under the radar. No need to compare to XP because we all know it's not a fair comparison!
      • In short telnet+response file = download an .exe from the web = any sort of functionality you might want using Unix command line tools.

        This is a minor point, as there are plenty of other malicious things you can do with a command line, but the built-in Windows telnet client doesn't support response files.

      • I'm not sure how he thinks rm is a normal binary but rmdir.exe isn't...
      • Nobody uses the root account in Linux for everyday activity.

        Really? More than you think...

        So no worries about the system in general.

        Dangerous assumptions continue...

      • I really don't care about the rest of your comment (one way or t'other), but "Your comment, sir, is vapid" ought to earn you a few thousand mod-ups. Thank you.

      • Nobody uses the root account in Linux for everyday activity. In Ubuntu, root login is even disabled by default (you have to sudo). So no worries about the system in general.

        There is actually one way in which this can potentially be more harmful in Linux than in Windows, although GP missed that one (for all the invented stuff that he came up with). The problem is that sudo caches your credentials for a certain period of time (5 minutes by default, IIRC) after you use it for a given user account. So, if you use sudo to run something that needs it, and then exit that application, and then some malware does exec sudo shortly after, it will quietly get root.

        You can disable this by

      • by nuckfuts (690967)

        Windows... comes with ftp and telnet...

        Telnet is not available by default in Windows Vista and Windows 7, but can be enabled via "Control Panel" > "Programs and Features" > "Turn Windows features on or off".

      • Re: (Score:2, Informative)

        by thuerrsch (1442235)
        Well said. Also don't forget that Evince, the default pdf viewer in Gnome and in Ubuntu, is immune to this exploit, as confirmed by several comments on Didier Stevens' original announcement [didierstevens.com].

        So here we have another good reason not to use Acrobat Reader on Linux (or on anything else, for that matter), but also not to trust closed-source alternatives like FoxIt. Evince is fast, efficient, easy to use, has all the necessary features, nothing more, nothing less. And hey, there's even a Windows version!
      • by Culture20 (968837)

        Nobody uses the root account in Linux for everyday activity. In Ubuntu, root login is even disabled by default (you have to sudo).

        And since sudo usually caches creds, you might still be vulnerable; or you will be when the sleep-loop malware script sees a sudo in ps and sudos right in itself.

    • by Voulnet (1630793)
      So it's about time Linux users get down to earth and learn "It's not the system, it's the user" the hard way?
    • Since it's part of the PDF specs, it should work in Linux too. What's even worse than with Windows is that since 'rm' is just a normal binary the PDF can launch that, and if you run as root privileges, just issue a command like "rm -rf /".

      In Windows, the PDF can launch cmd.exe, passing it the commands to execute as parameters (with /c), so nothing changes.

      ... if you run as root privileges, just issue a command like "rm -rf /". If you don't run as root, then for example Ubuntu should give you the sudo box to input password to.

      Have you ever actually used Ubuntu?

      No, you won't get a sudo box if you run "rm -rf /" on an account which doesn't have permission. You'll get "permission denied", exactly the same as if you'd try "rmdir /s C:\Windows" from non-admin in Windows.

      There's no auto-elevation, neither in Windows nor in Unix. The program has to be explicitly coded to request the OS service (UAC or gksudo) to pop u

    • by jank1887 (815982)

      just curious, what version of PDF did this become default behavior? Sounds like it's time to roll PDF back a few versions. I can live without active PDF content and fillable forms that remember my previous text input.

    • by Kitkoan (1719118)

      Linux may be vulnerable too, if your running the Linux version of Adobe Reader which you would have to go out and get on your own. Every version of Linux I have tried has an open source PDF reader that isn't Adobe's. As for the Firefox exploit, FTA it states that the Firefox must be running the addon Foxit and I'm not sure how common that is.

      Though I highly agree with you that Linux users shouldn't believe that Linux can't get malware. It's more unlikely of the 3 major OS's (Windows, OSX, Linux), but that d

    • Since most Linux systems dont even have the kind of application firewalls or antiviruses that Windows does, and because the Internet accessing is actually done via wget, they don't even get any kind of a "Give internet access to this application?" dialog.

      These things slow your computer down and make using applications annoying. They exist on Windows because of the massive problem of malware on Windows. They do not exist on Linux because in general, malware on Linux is not a problem. You can speculate as to why, but that's the way it is. Where real problems exist with Linux, like rootkits, solutions exist (e.g. chkrootkit). If viruses and such get to be a problem, solutions will appear. At the moment virus scanners and outgoing firewall prompts are no

    • by h4rr4r (612664)

      If you run a pdf reader app as root you deserve what you get.

    • Virus scanners and outgoing firewalls are a crummy way to handle these threats. Linux handles them in a better way [wikipedia.org]

  • Solution (Score:3, Interesting)

    by abigsmurf (919188) on Tuesday April 06, 2010 @11:59AM (#31749152)
    Have the dialogue control specify that you are potentially allowing the PDF to alter other documents (maliciously or otherwise).

    It's not exactly the first time a method of using social engineering to trick people has been part of a standard. Altering the status bar in JavaScript in order to aid phishing attacks was one.
    • Re:Solution (Score:5, Insightful)

      by Yvanhoe (564877) on Tuesday April 06, 2010 @12:23PM (#31749536) Journal

      The attack requires the user of the computer to allow the code to be executed by agreeing to it via a dialog box. However, the attacker could at least partially control the content of the dialog box that appears to prompt the user to launch the executable and thus use social engineering to entice the computer user to agree to execute the malware, said Conway.

      Solution : stop accepting that documents should execute binaries in order to display properly.

  • Dupe Dupe (Score:5, Informative)

    by Nerdfest (867930) on Tuesday April 06, 2010 @12:00PM (#31749160)
    I believe this exploit has already been patched in FoxIT, assuming this is the same exploit descibed here on SlashDot 2 weeks ago. Strangely, I haven't seen an update from Adobe ...
  • As has alreay been pointed out, the worst this "exploit" can do is elevate to the same rights as the user. As anyone with a CS degree (or even any true IT experience) would know, these rights should be limited.

    Now, Microsoft has for DECADES pushed the paradigm of giving the user administrative rights. Sure, they are making solf half-hearted attempts now to change this. But they created an environment of 3rd party software relying on this full rights model... and it is biting us all on the butt.

    So, as usual,

    • Re: (Score:3, Insightful)

      by sopssa (1498795) *

      Most malware doesn't need root/admin access. It's only needed if you want to pwn or hack the server. Malware on the other hand runs just happily in userland too.

    • by Abcd1234 (188840)

      As has alreay been pointed out, the worst this "exploit" can do is elevate to the same rights as the user.

      Yeah, and then you're just a local privilege exploit away from being fully owned.

      And this is ignoring the fact that malicious users can do plenty with a non-privileged account (here's hoping you don't store any sensitive information unencrypted in your home directory).

    • Now, Microsoft has for DECADES pushed the paradigm of giving the user administrative rights.

      Since you're apparently unaware of the fact, this paradigm was a de facto standard on all home desktop OSes in the 90s. MacOS was not any different, and even Unix-like OSes that were explicitly desktop-oriented used root by default (e.g. BeOS).

  • Google Docs (Score:2, Interesting)

    by areusche (1297613)
    Screw adobe and other client side PDF readers. Am I vulnerable if I use Google's PDF viewer to view PDFs?t
  • A little better than the crummy cnet write-up. http://blog.didierstevens.com/ [didierstevens.com]
  • Presumably xpdf's "pdftotext" isn't vulnerable?

  • "More woes for Adobe [i]as security firm[/i] creates proof-of-concept attack that injects"

    "As security firm"? Who does the article mean, Jeremy Conway of NitroSecurity, or Didier Stevens, working for Contraste Europe? Also, it would've been nice if the article linked to an article Jeremy wrote titled "Implications of Recent PDF /Launch Hacks", this article can be found here: http://siemblog.com/2010/04/implications-of-recent-pdf-launch-hacks/ [siemblog.com]

  • Dupe (Score:5, Informative)

    by MobyDisk (75490) on Tuesday April 06, 2010 @12:17PM (#31749442) Homepage
  • by guanxi (216397) on Tuesday April 06, 2010 @01:01PM (#31750102)

    Would switching to a non-Adobe PDF viewer make you safer? I understand this exploit affects Foxit, but there are many other exploits and PDF viewers (MacOS X's Preview, Ghostview/GSView, CutePDF, Nitro, etc.).

    Usually the headline says the exploits are in Acrobat; and given Adobe's much larger installed base, they are a much more likely target; but perhaps the exploits are really in PDFs (or JavaScript) in general.

    • Actually in this case - foxit just runs the exe without displaying the "do you really want to open this" warning Reader gives you.

  • by Skuld-Chan (302449) on Tuesday April 06, 2010 @01:19PM (#31750386)

    This feature is in the PDF specification, and in fact in the youtube video you'll notice that the trust manager warning is pretty severe "only do this if you trust the PDF" sort of thing.

    To me its akin to downloading an EXE from a website with a browser and clicking the open button...

    • by Yvan256 (722131)

      Why does a document format need to have the ability to external executable files in the first place?

Little known fact about Middle Earth: The Hobbits had a very sophisticated computer network! It was a Tolkien Ring...

Working...