No JavaScript Needed For New Adobe Exploits 187
bl8n8r writes "More woes for Adobe as a security firm creates a proof-of-concept attack that injects malicious code as part of the update process. The user only needs to click a dialog box to execute the code and no JavaScript is needed to launch the exploit. The exploit affects Foxit as well as Adobe Acrobat software. This exploit is made possible through the host software allowing execution of system binaries. Not clear if it's multi-platform, but seems plausible."
Linux is vulnerable too (Score:3, Informative)
Since it's part of the PDF specs, it should work in Linux too. What's even worse than with Windows is that since 'rm' is just a normal binary the PDF can launch that, and if you run as root privileges, just issue a command like "rm -rf /". If you don't run as root, then for example Ubuntu should give you the sudo box to input password to. This of course being just one of the examples it could do. Remember that most malware doesn't even need root access to function.
Another reason why it would be even more serious on Linux is the way you can pipe commands and how most systems come pre-packaged with a ton of little utility apps. You can create the whole malware with a series of commands, or wget a bash script from the internet and start that to hide even more malware in the system. Since most Linux systems dont even have the kind of application firewalls or antiviruses that Windows does, and because the Internet accessing is actually done via wget, they don't even get any kind of a "Give internet access to this application?" dialog.
It also doesn't help at all that most Linux users (especially those who are told so by the geeks!) believe that Linux cannot get malware. In my opinion this is a really stupid thing to do from those promoting Linux or Mac OS X as it will just lead to false sense of security.
Dupe Dupe (Score:5, Informative)
Re:Drop it like the disease it is (Score:5, Informative)
Re:Linux is vulnerable too (Score:5, Informative)
What's even worse than with Windows is that since 'rm' is just a normal binary the PDF can launch that, and if you run as root privileges, just issue a command like "rm -rf /". If you don't run as root, then for example Ubuntu should give you the sudo box to input password to. This of course being just one of the examples it could do. Remember that most malware doesn't even need root access to function.
Nobody uses the root account in Linux for everyday activity. In Ubuntu, root login is even disabled by default (you have to sudo). So no worries about the system in general. Although it's pretty devastating to issue a "rm -rf ~" to delete the user's home directory, it's on par with Windows. Then you say that most malware doesn't even need root access to function, but on all the millions of XP boxes out there, it's already given root access by default.
Another reason why it would be even more serious on Linux is the way you can pipe commands and how most systems come pre-packaged with a ton of little utility apps. You can create the whole malware with a series of commands, or wget a bash script from the internet and start that to hide even more malware in the system.
Windows has a pipe function too, in addition to being able to zoink your whole file system with a simple "del". It also comes with ftp and telnet, which are handy replacements for wget. In short telnet+response file = download an .exe from the web = any sort of functionality you might want using Unix command line tools.
Your comment, sir, is vapid.
Re:Linux is vulnerable too (Score:4, Informative)
If it can't boot after a vulnerability is exploited or you can't remove it within 30 minutes then have it count doubly so.
The days when malwares purpose to trash the system to an unbootable state have been over for 15 years. Now a days you don't really even notice them being on your machine unless its one of those which show fake virus alerts. How would you notice if it just starts sending spam or sniffing your passwords?
Another point is that you can fairly easily hide in a Linux system. If you absolutely need root access, there have been serious privilege escalation exploits over the years. Most of the Linux systems aren't even necessarily being patched consistently. I've seen one of these privilege exploits used on many hosting companies that usually keep their systems up to date and secure too. That beside the point that it's not usual that you even need root access.
Re:Dupe Dupe (Score:3, Informative)
Yes, Foxit patched it last week. It uses the same technique so the Foxit patch should work, but this new "exploit" just takes it a bit further in that the malware can be embedded in the PDF file.
Dupe (Score:5, Informative)
Dupe from Slashdot, March 31st [slashdot.org]
Re:Linux is more Secure than Windows (Score:5, Informative)
Re:Dupe Dupe (Score:5, Informative)
Yes, foxit has patched the vuln: http://forums.foxitsoftware.com//showthread.php?t=18044 [foxitsoftware.com]
Re:Linux is more Secure than Windows (Score:2, Informative)
I keep hearing this repeated ad infintum. Since Win XP SP2, most software got adapted so it could run as Limited user. Even game developers got the message. The Sims 2 initially came out as "Admin only". That was patched within months when people complained.
Anyway, even for non-behaving software, it is usually a matter of setting User-Write-Permissions on the folder of the misbehaving application. If that doesn't help, set User-Write-Permission to the subkey the application created in HKEY_LOCAL_MACHINE. Fixes 99% of the applications. If anyone bothered, this could be automated with a script or an appplication that has a database with known misbehaving applications and the necessary fixes. If people can make something like "the PC decrapiefer", this should be feasible too.
Anyone with a remote clue can run Windows XP entirely as Limited User (for day to day operations, of course).
Only slightly related: this is why removing the Security tab in the Home Version of XP was a bad idea. I know there was a way to install it again, but I never found it back.
Not really an exploit... (Score:5, Informative)
This feature is in the PDF specification, and in fact in the youtube video you'll notice that the trust manager warning is pretty severe "only do this if you trust the PDF" sort of thing.
To me its akin to downloading an EXE from a website with a browser and clicking the open button...
Re:Drop it like the disease it is (Score:4, Informative)
You clearly didn't read the last week's Slashdot article [slashdot.org]. This exploit is already fixed in Foxit. [foxitsoftware.com]
Comment removed (Score:3, Informative)
Re:Linux is vulnerable too (Score:2, Informative)
So here we have another good reason not to use Acrobat Reader on Linux (or on anything else, for that matter), but also not to trust closed-source alternatives like FoxIt. Evince is fast, efficient, easy to use, has all the necessary features, nothing more, nothing less. And hey, there's even a Windows version!