Forgot your password?
typodupeerror
Security IT

Foxit One-Ups Adobe In Blocking PDF Attack Tactics 112

Posted by kdawson
from the can't-fox-us dept.
CWmike writes "Foxit Software, the developer of a rival PDF viewer to Adobe's vulnerability-plagued Reader, released an update on Tuesday that blocks some attacks with a 'safe mode' that's switched on by default. Foxit Reader 3.3 for Windows' 'Trust Manager' blocks all external commands that may be tucked into a PDF document. 'The Foxit Reader 3.3 enables users to allow or deny unauthorized actions and data transmission, including URL connection, attachment PDF actions, and JavaScript functions,' the update's accompanying text explains. Last week, several security companies warned of a major malware campaign that tried to dupe users into opening rigged PDFs that exploited an unpatched design flaw in the PDF format, one attackers could use to infect users of Adobe's and Foxit's software. That flaw in the PDF specification's '/Launch' function was disclosed in late March by Belgium security researcher Didier Stevens, who demonstrated how he could abuse the feature to run malware embedded in a PDF document. He also reported he had figured out how to change Adobe Reader's warning to enhance the scam."
This discussion has been archived. No new comments can be posted.

Foxit One-Ups Adobe In Blocking PDF Attack Tactics

Comments Filter:
  • by WrongSizeGlass (838941) on Tuesday May 04, 2010 @05:42PM (#32091968)
    ... then surely Adobe can do it. It's probably because Foxit is bigger and able to reassign resources better than Adobe ... oh wait ... how did Foxit beat Adobe on this fix?
    • by PPalmgren (1009823) on Tuesday May 04, 2010 @05:44PM (#32091988)

      Foxit has something to gain from this. For a long time, Adobe only had money to lose by spending anything on their dominant reader that you *had* to use. It appears they haven't lost that mindset.

      • Re: (Score:3, Interesting)

        by lpq (583377)

        Adobe has the mindset of a monopolist. In their markets they often are. There support is shoddy to non-existent and their innovation is down. A few years back to cement their position with their graphics tools as dominant (Photoshop et. al), they started requiring those wishing to develop plug-ins to adopt exclusive licensing with Adobe, where adobe could halt sales of their plug-in with any other competing product, if it was determined that it out-performed adobe's product. Most plugin developers don't

        • by RockDoctor (15477)

          Adobe has the mindset of a monopolist.

          Yeah, terrible that - Big Nasty Corporation Adobe stealing the free and open source work of some tiny little printing company, then claiming that it was all their own work and never allowing anyone else to even breath the initials of the product without paying their fist born child as a licensing fee.
          Someone has forgotten what happened in the 1980s.

    • how did Foxit beat Adobe on this fix

      They didn't have to test it against 25+ different languages and 30+ different platforms (yes you read that right - if you think about every single version of Windows (server versions both x86/x64), Mac OS/X Linux and Solaris).

      • by Hurricane78 (562437) <deleted@slashd o t .org> on Tuesday May 04, 2010 @08:16PM (#32093096)

        But since the average amount of registry entries is around 100,000 and the average amount of files is around what, 50,000? (Not even counting different versions and different configuration file entries), wouldn’t that mean

        230 * 100,000 * 50,000 = 150 trillion "different platforms" or 25 * 150 trillion = 3,75 quadrillion different configurations? ;)

        Or is it just, that when you make not really different setups count (like languages, which are not part of the code to test in such multilingual apps, or not actually different versions of Windows or Linux), that you can come up with whatever insane number you want? ;)

      • Re: (Score:2, Interesting)

        by RealGrouchy (943109)

        Indeed, one of my mac users was sent a PDF that had been marked up with Foxit by a volunteer. The markup only shows in Foxit reader, which is only available on Windows. A complete waste of the volunteer's time.

        - RG>

        • by kenwd0elq (985465)
          Only SHOWS, or only PRINTS? By default Adobe Reader does not PRINT the markups, even though it DISPLAYS them. In your PDF printing dialog, be sure to select to print both text and markups and annotations.
          • Foxit's markup does not appear in Preview on OS X, nor did it appear in Adobe Acrobat Pro 8 or 9. My colleague was entirely unable to read the markup made to the PDF in Foxit (which kind of defeats the purpose of a published standard format).

            - RG>

            • by ZosX (517789)

              That's too bad. I had a printing project that required me to place two pages on a certain fixed page size. You think something like this would be trivial to do with acrobat, but NOOOOOOO the only way to do it is to have it resize the pages to fit the overall page. I wanted the pages to stay to a fixed size. This was impossible with acrobat and there were hundreds of pages, so laying them all down in illustrator was out of the question. I downloaded foxit and it had way better print options than adobe. I don

    • by jhoegl (638955)
      Security over Functionality... Foxit took the road they felt their users needed.
      You can make your minds up why Adobe didnt come up with this, or if they even tried.
    • Talking about adobe losing the ball on this one, I will now force all my clients to upgrade to foxit and uninstall any readers coming from adobe, even if they are paid licenses for it.

  • I think you're all asking the same question I am. Is evince susceptible?

    • and what about SumatraPDF?
      • Re: (Score:1, Interesting)

        by Anonymous Coward

        ... or xpdf...

    • My current PDF viewer is Zathura [pwmt.org]. Same engine as evince, but wicked fast and mouseless!

    • by mirix (1649853)

      I've been using okular lately (uh.. ex-kpdf).

      I'm not sure if they fixed it, but evince had a bug where it wouldn't anti-alias on B&W stuff, which led to major eye-bleeding when reading non OCR'd scans. Hence the switch.

      This was on debian (squeeze), not sure if it was limited to their package, or if it is/was all evince of that build. Guess I could try compiling the latest version and see what happens. But I've gotten used to okular in the mean time, I think I prefer it now.

      I'm assuming the linux ones ar

      • by mirix (1649853)

        Actually, now that I think about it, maybe the bug was with poppler? I think they both use it though. Not sure now.

        • I think it is poppler, because that still happens in evince and some other readers I tried (I just found out it was a bug a couple of days ago, rather than just low res scans). I was going to try okular, but I didn't want to install 150MB or so of kde libs. xpdf seems to work better, but has an ugly ui.
  • by LostCluster (625375) * on Tuesday May 04, 2010 @05:45PM (#32091998)

    They used to say there was no way an image file or text doc could spread a computer virus... then buffer overruns were discovered in image handlers, and Microsoft added VBA macros that basically had the full power of Visual Basic at its disposal to Office, and away it went!

    Now, I make my living writing Visual Basic, so there's no way I want to see VBA going away. Still there needs to be some safety to prevent a VBA macro from using unknowing users' computers from flooding the Internet with useless traffic... and the solution is pretty simple: If an Office doc contains VBA code, a warning is shown to the user asking them if they trust the source of the file, and would like the code to be enabled. If the user declined, macros won't run but users can see the static content in the file.

    So.. that's the solution being employed here. They're effectively saying "Hey, this PDF is using network functionality, do you trust it to do that?" That should shut off the threat vector while still allowing the functionality to be used in trustworthy situations... why isn't this something in Adobe's official reader yet?

    • The only problem with all that is that most users just shrug and say, um, sure -> OK.
      IMHO, for corporate use anyway, Foxit should add some way to leave the default "don't let
      it run" enabled and prevent users from turning it off. Just to give us poor, overworked
      sysadmins a way to prevent non-root/non-Administrator user "Just click OK" (TM) syndrome.

      I believe MS does provide a way to handle the VBA situation you described but it's been
      a while so not 100% sure

      • by RESPAWN (153636)

        You've hit the nail on the head here. One of my users received a particularly well crafted email from "me" today asking her to download a patch for Adobe products. It even included what looked to be a forwarded conversation from our CEO. Had she not co
        e to me asking a question about the instructions, she could very well have infected her machine. Nevermi d that the link was to a .to domain. Typical users don't look for warning signs like that.

        • Re: (Score:2, Funny)

          by Anonymous Coward

          Ar
          e you sure that some of your mac hines aren't alr
          eady
          in fect
          ed?

          • by RESPAWN (153636)

            It's this fucking iPhone keyboard. I know, I know. I should have previewed. I don't care what anybody says about the iPhone keyboard. My personal phone has a QWERTY keyboard with real buttons and I am much faster and more accurate on that thing. If only it could browse /. without shitting a brick.

        • And that's a save for the "Um, you're doing something odd here... are you sure?" system. That extra dialog box most likely prompted the question to you, which saved the day. Yeah, the IT admin might want the control to Just assume the user clicked "No!"... but I don't know the number of times where the IT guys have locked out the custom code I was paid by them to develop because it tripped a "changed .exe" flag. Yes, I'm the developer and you own the software... yes, I think we can trust that changed .exe f

        • Re: (Score:1, Insightful)

          by Anonymous Coward

          One idea is with Acrobat itself. If there is a need to run code or fill a PDF form, the PDF should be signed. Verisign isn't perfect, but in general, if their cert says that a PDF came from a company, it did, and if there is an exploit, fingers can definitely be pointed in that direction.

          At the minimum, unsigned PDFs should not be allowed to run scripts. If the user wants to run scripts, he or she will need to explicitly turn the functionality on.

          Voila. Problem taken care of. Companies can have their i

        • by gravyface (592485)
          This is why I use Postini and tell it to drop any email with mail from *@mydomain.com because unless you have an off-site mail server (for your Web site or whatever) sending out mail from *@mydomain.com, you should never see an email from your domain come into your network from the outside; it would never leave your internal mail server.
          • by RESPAWN (153636)

            Actually, we use Google mail for our mail services but with an on-site SMTP server for our multi-function scanners which don't support SSL. I do subscribe to Postini, and until we made the switch to Google Mail I did have a filter in place to drop anything from *@mydomain.com, but after switching to Google mail, the result was that any emails from the SMTP server on our LAN were dropped by Postini since they traverse outside of our Google mail domain. If our bloody multi-functions would support connecting

    • Re: (Score:1, Interesting)

      by Anonymous Coward

      It...won't work. Users are stupid. Not the programmers. The users.

      Do you trust the source of this? "Sure, I trust Chuck not to forward me a virus" Of course, they never think that chuck is forwarding Anna K nekkid pics from Bob, who got it from Albert, who got it from Zed, who got it from Debby...

      And of course, they'd never contemplate it might not actually be Chuck that sent it, but a virus Chuck opened up and scanned his inbox or address books. And that's just using issues that hit the streets over

    • Re: (Score:3, Funny)

      by ProdigyPuNk (614140)
      I'm almost done a "Database Design and Development" course at college. Turns out the course entirely relies on MS Access (not exactly what I had in mind when signing up). Anyway, in the later part of the course macros/VBA was embedded in the example files, and one of the first instructions in the book was always "Enable the contents" - but the book never bothered mentioning why the warning was there and what the purpose was. I'm sure at least half of my computer science major peers would click OK without
      • Yeah, there should be some sort of "You can trust us, we're your textbook author and we included VBA macros in order to..." note somewhere in the book near the first introduction. Then again, if they were using VBA to prevent copying by students and not telling them about it, then that textbook should be burned.

        • by jonwil (467024)

          The VBA macros were probably being used to actually implement the example. I have seen far too many people (including academics) who think using Access to design a full database UI is a good idea.

    • Re: (Score:3, Funny)

      by sznupi (719324)

      Now, I make my living writing Visual Basic...

      And you freely admit it here?... ;)

    • If an Office doc contains VBA code, a warning is shown to the user asking them if they trust the source of the file, and would like the code to be enabled. If the user declined, macros won't run but users can see the static content in the file.

      But that fails when everyone wants to start using this functionality, and a user has to constantly click allow. Regardless, how are end-users going to know what all this means? They just want to view the document. I think the failure is in even allowing executable co

      • Everybody on Windows uses .exe functionality... and this kind of thing is the basis for allowing or disallowing network connections from suspect applications. It's a last line of defense against newly discovered threats, and works well in combination with Anti-virus which can stop known threats, but has no way of knowing about today's new threat.

    • Re: (Score:3, Insightful)

      by Anonymous Coward

      There simply should not be active content in a PDF. PDF means "portable document format", not "program-distribution file". I believe the sane specification is called PDF/A (A for "archive"): No external references, no active content (no scripting, no video, no audio, no actions), no encryption, no blocking print or copy. PDF readers should have a simple preferences toggle: [x] restrict to PDF/A subset.

      • PDF/A is indeed the sane specification(though it has a few friends for slightly different purposes; but offering similar levels of standardness and sanity).

        Trouble is, though, Adobe has very little incentive to stick to that(if some customer demands it, they obviously have an incentive to be able to emit sane PDF/A; but not much to stop there). Since the core, sane, bits of PDF are a royalty free standard, and Reader is free as in beer, Adobe only makes money if people buy the expensive versions of Acrob
      • by klui (457783)
        Or if you rename the file to a .pdfa or something like that, the reader will not enable "active" content.
    • Re: (Score:3, Insightful)

      by Vellmont (569020)


      Still there needs to be some safety to prevent a VBA macro from using unknowing users' computers from flooding the Internet with useless traffic

      Yes, it's called a sandbox. Let the VBA code run in a very limited environment, specifically don't let it access the filesystem or the internet. What's so hard about that?

      and the solution is pretty simple: If an Office doc contains VBA code, a warning is shown to the user asking them if they trust the source of the file

      You've never actually watched people other th

    • by Zadaz (950521)

      ...why isn't this something in Adobe's official reader yet?

      Because most people have no idea that there can be threats inside of PDFs and this kind of pop-up would only alert them that there could be a danger. Who wants that kind of publicity?

    • by jhol13 (1087781)

      NO!

      The solution is not to give choice of "run" / "don't run at all" where "run" means "run with full privileges - bloody hell, let's give administrator while we are at it!".

      Why, after who know how many years of Java, cannot there be a sandbox?

      • You don't keep your private info in a sandbox, and some programs need your private info in order to do what they're designed to do.
        • by jhol13 (1087781)

          Then you get a specific pop-up telling exactly what is going to happen, "script requires read access to file personal.txt" or "to open a socket to blackhat.cn".

          Not "do you want to run ... tough luck, you are now pwned".

    • by virgilp (1774784)

      You see, the issue is that Adobe's reader ALREADY HAS this protection. It always did! Try reading the "researcher's" (notice the quotes) so-called attack, use a version of Adobe Reader however old, and see how it works - guess what, you get a warning telling you that the PDF is trying to execute code and you should only allow it in case you trust it.

      Read the report people, this is a non-issue where Adobe's name was only mentioned because it is fashionable to bash Adobe for whatever "security" issues (saying

  • by ProdigyPuNk (614140) on Tuesday May 04, 2010 @06:01PM (#32092120) Journal
    Is this really a "feature" that should be celebrated? This should have been implemented since the beginning. If you're making a PDF reader, and the PDF spec has an "execute" functionality, shouldn't everyone developing these programs have seen the spec and realized what this could do?
    • Re: (Score:2, Interesting)

      by noidentity (188756)
      There's always someone who comes along and says "it'd be useful if you could do this", be it "execute code embedded in a PDF" or "not have to remember or enter an annoying PIN code number when using the ATM". Never mind that the costs of adding this outweigh the benefit, so it gets added. And at some point, someone creates a new, just-a-freakin'-reader, and the cycle begins anew. Depressing.
    • by Knackered (311164)

      It was implemented from day 1. Version 1.0 of PDF didn't have any ability to launch programs. Then, around day 1000, Adobe decided to turn it into a "platform" instead of a document format, and introduced this sort of problem.

  • by ProdigyPuNk (614140) on Tuesday May 04, 2010 @06:11PM (#32092206) Journal

    "It doesn't disable JavaScript entirely," Xiong said. "It only partially disables JavaScript."

    That line really bothers me. How many times before have ways been found around things like SQL sanitization procedures? Why not block ALL javascript unless it's explicitly enabled? I can't believe that they would let that go.

    • Re: (Score:3, Informative)

      by Shados (741919)

      That line really bothers me. How many times before have ways been found around things like SQL sanitization procedures?

      -Extremely few-, if you're talking about correct SQL management. The only one that comes to mind among serious RDBMSs (DB2, Sybase, SQL Server, Oracle, Postgres...) was a datatype exploit in Oracle that only worked locally, AND was more theoritical than anything.

      Parameterized queries (the only good way of handling "sql sanitization") are virtually flawless. Now, if you're talking about stri

      • by lennier (44736)

        Now, if you're talking about string escaping, as is very popular on PHP/MYSQL stacks...well, yeah, thats swiss cheeze, dangerous, and bad practice (and unfortunately extremely popular)

        So why is the obvious Wrong Way To Do It so popular? Or perhaps more to the point, why is the Right Way To Do It apparently so off-putting to developers that it doesn't get used? And is there a Better Right Way To Do It?

        • by Shados (741919)

          Misinformation and historical reasons. Urban legends, pretty much. And the fact that the technology on which a lot of people learnt to program didnt support it for a long time (even though everything else did).

          Nothing more, really.

    • by jhol13 (1087781)

      Because there are huge number of JavaScript methods that cannot, if properly written, cause any problems.
      Why not allow only them?

  • by rcastro0 (241450) on Tuesday May 04, 2010 @06:23PM (#32092290) Homepage

    Is it a coincidence that I read that Adobe is losing the grip on PDF just a few days after I read Job's "Thoughts on Flash [apple.com]", essentially dumping Flash from iPhones/iPads, and burning it at a stake? Or is Adobe's strategy really failing spectacularly before our own eyes?

    I should've seen it coming -- I haven't used Acrobat Reader for years. PDF Xchange Viewer [docu-track.com] is my current favorite, though Foxit was my first off-Adobe alternative, back when.

    • by Knara (9377)

      "Losing the grip on PDF"? Sort of alarmist there, don't you think?

      The only reason it seems like this is because, perhaps unconsciously (but perhaps not), editors tend to clear stories that seem to form a narrative. Regardless of the narrative existing or not.

      • I agree it may be a bit alarmist, but as someone who has at my former employer worked with many kinds of businesses from small to medium, I can tell you that the only reason adobe acrobat is still in play is because of vendor lock down with businesses. They don't want to change readers/editors because "everyone else uses adobe", but as soon as enough of them get burned, and more IT admins realize it is one of the biggest threats on a companies network, they will start jumping ship. They just need an alterna
        • Re: (Score:3, Insightful)

          by Culture20 (968837)
          And there are a lot of companies, big and small, that are learning about pdf printing via open source tools, making Acrobat a waste of money. If Acrobat isn't being used to create the documents, why use Acrobat Reader?
    • Re: (Score:3, Interesting)

      +1 on PDF Xchange (for Windows) That was the only 64-bit reader I could find at the time and it worked really well. On my mac I simply go with Preview.app. Acrobat is a bloated pig and is to be avoided along with Flash, although I'll probably need to get a Core i7 box because I NEED Photoshop - I think Adobe took lessons from Microsoft on how to incorporate more bloat during Vista development.
      • Re: (Score:1, Informative)

        by Anonymous Coward

        I'll probably need to get a Core i7 box because I NEED Photoshop

        No you don't. I'm sure I read somewhere that newer versions of Photoshop support hardware acceleration using recent GPU's (Nvidia 8x 9x) either directly or through a plugin (I'm pretty sure Nvidia made a plugin for Photoshop to make use of CUDA).

        • Awesome if true. On the other hand I hope not as I need an excuse for the wife so I can get a new machine...
          • by ZosX (517789)

            Its directly integrated. In CS4 it is mostly used for image display and smooth zooming, but can be nice with a modestly fast gpu. I like how you can grab the image and slide it across the screen and release the mouse and it will keep on smoothly scrolling until you click again or it decelerates. I'm sure they included more stuff in CS5, but I have yet to see that in action. I find for CS4 a quad core athlon seems fine. Memory is really the bigger issue, and the more the merrier, though I regularly manipulat

    • How can you lose the grip on PDF when its a fully published spec, and an accepted ISO standard (several of them)?

  • Maybe PDF's support of linked source files cause some vulnerabilities
  • Safe computing? (Score:4, Insightful)

    by cdrguru (88047) on Tuesday May 04, 2010 @06:28PM (#32092322) Homepage

    The problem is that the PDF specification was created at a point in time when you had a reasonable expectation that software would not do bad things to your computer intentionally.

    A method to invoke an external program was put there for flexibility I am sure and it did offer a reasonable way to extend the functionality of the PDF document structure. The same thing is in WinHelp, for exactly the same reason. It allows a "tutortial" document that by clicking on active parts would invoke external programs to do things.

    Now we have a situation where virtually nothing can be trusted to do what it is claiming to do. If you get an email with a file with any sort of active content in it you can assume that it will do something bad.

    Where 15 years ago "active content" was something to be desired and provided extensability, today "active content" is a way to compromise computers and steal from people. A significant problem for Adobe (and plenty of others) is how to eliminate the possibility of bad things happening with active content while retaining the functionality? Today, I would say active content has to go, period. Anyone that is using and relying this needs to change their methods.

    It is a pity that we have to give up flexibility and extensability because of criminals that we cannot or will not police.

    • The problem is that the PDF specification was created at a point in time when you had a reasonable expectation that software would not do bad things to your computer intentionally.

      I had my first Amiga virus in about 1987, quite a few years before PDF came around (and certainly many years before they added JavaScript to the PDF standard).

  • Plain Text Format!

    Even companies such as Adobe, Microsoft, and Apple with joint efforts could eventually make TXT format readers that have next-to-0 security holes. :)

    • by mirix (1649853)

      I'm a big fan of plain text myself.

      But there are a lot of times when ASCII art doesn't cut it.

    • Re: (Score:1, Insightful)

      by Anonymous Coward
      But LF,CRLF, or in the case of pre-OSX mac, CR?
  • by Arancaytar (966377) <arancaytar.ilyaran@gmail.com> on Tuesday May 04, 2010 @08:24PM (#32093142) Homepage

    There is absolutely no excuse for using PDF unless you need the Flashy extra features like forms. As a device-independent printable format, PostScript and DVI are superior as well as devoid of code execution or networking features.

    We've almost taught people not to send Office documents in emails - next step, eradicate PDFs.

    • by bit9 (1702770)
      Do you know of any FOSS PDF-to-PS converters? I have a significant number of PDF files that I'd like to not have to worry about.

      [I haven't actually gone and Google'd the answer to my own question yet, so mod me down if you will, but I'll take personal advice any day over a blind Google search]
      • by dlgeek (1065796)
        pdf2ps ships with ghostscript which is on pretty much any Linux distro with printing support installed. It's acutally how most pdfs are printed in linux.
    • by flyingfsck (986395) on Tuesday May 04, 2010 @11:02PM (#32094046)
      Uhhh, got news for you. Postscript is a programming language. Someone with too much time on his hands even wrote a chess program in postscript.
      • Mod parent up and GP down. Postscript is a turing-complete programming language. It's as far from devoid of code execution features as one can get. One of my favourites is the randomly generated postscript maze [sorotokin.com]. Open it, get a maze, print it on a postscript printer and get a new maze every time.
    • DVI? No. One word: fonts.

      The "P" in PDF stands for portable. You don't replace that with DVI.

    • by TeknoHog (164938)

      There is absolutely no excuse for using PDF unless you need the Flashy extra features like forms. As a device-independent printable format, PostScript and DVI are superior as well as devoid of code execution or networking features.

      Ironically, PostScript is a full programming language. Does it count as networking, if there are web servers written in it?

    • by Zoinky (915530)

      DVI doesn't include images or font embedding. It really would not work well, unless you wanted to package everything up in a tarball or similar, which would quickly become rather large and unwieldy.

  • by bit9 (1702770) on Tuesday May 04, 2010 @09:29PM (#32093542)
    Blocking PDF exploits is a great first step, but is there a way to detect infected PDF files, and disinfect them? I have no problem leaving Foxit permanently in safe mode, but it would be nice to be able to trust a PDF file once in a while, and be able to turn the JavaScript/etc back on for files I trust.
  • You read about many exploits in Acrobat, but are they really exploits in the PDF format and/or JavaScript? What I'm really getting at is, does using an alternative PDF viewer (such as Foxit, Nitro, or MacOS X Preview) protect you from most exploits?

    I've asked this question in a few places and tried to do some research on it, but I haven't found much relevant info at all.

  • by drumcat (1659893) on Tuesday May 04, 2010 @11:53PM (#32094358)
    As an IT admin, I'm not getting anyone to drop PDF as a format. That's insane. But this, along with the 9.2 update installing McAfee without permission, has made me decide my company will be moving to Foxit. Adobe has screwed me for the last time. For anyone's info, if you have Reader 9.0, without the McAfee install selected, and you then do a "Check for updates" update from within the program, McAfee AV will be installed. I now have to UNinstall it from a shit-ton of machines. Adobe is famous for bad installers, but this takes the cake.
  • a script or scanner I can point my directory of PDFs too? PDFs are a great attack vector when you have tons of IT folk downloading programming and sysadmin related ebooks ...

Vitamin C deficiency is apauling.

Working...