No JavaScript Needed For New Adobe Exploits

bl8n8r writes "More woes for Adobe as a security firm creates a proof-of-concept attack that injects malicious code as part of the update process. The user only needs to click a dialog box to execute the code and no JavaScript is needed to launch the exploit. The exploit affects Foxit as well as Adobe Acrobat software. This exploit is made possible through the host software allowing execution of system binaries. Not clear if it's multi-platform, but seems plausible."

Linux is vulnerable too

[sopssa]

Since it's part of the PDF specs, it should work in Linux too. What's even worse than with Windows is that since 'rm' is just a normal binary the PDF can launch that, and if you run as root privileges, just issue a command like "rm -rf /". If you don't run as root, then for example Ubuntu should give you the sudo box to input password to. This of course being just one of the examples it could do. Remember that most malware doesn't even need root access to function.

Another reason why it would be even more serious on Linux is the way you can pipe commands and how most systems come pre-packaged with a ton of little utility apps. You can create the whole malware with a series of commands, or wget a bash script from the internet and start that to hide even more malware in the system. Since most Linux systems dont even have the kind of application firewalls or antiviruses that Windows does, and because the Internet accessing is actually done via wget, they don't even get any kind of a "Give internet access to this application?" dialog.

It also doesn't help at all that most Linux users (especially those who are told so by the geeks!) believe that Linux cannot get malware. In my opinion this is a really stupid thing to do from those promoting Linux or Mac OS X as it will just lead to false sense of security.

Re:

[headkase]

Runs with the same privileges as the parent program. So it can kill my home folder, not "rm -rf /" And like every other security hole found so far it will be written out. Considering they all get written out the fair comparison would be comparing number and severity of vulnerabilities by platform. If it can't boot after a vulnerability is exploited or you can't remove it within 30 minutes then have it count doubly so.

Re:Linux is vulnerable too

[sopssa]

If it can't boot after a vulnerability is exploited or you can't remove it within 30 minutes then have it count doubly so.

The days when malwares purpose to trash the system to an unbootable state have been over for 15 years. Now a days you don't really even notice them being on your machine unless its one of those which show fake virus alerts. How would you notice if it just starts sending spam or sniffing your passwords?

Another point is that you can fairly easily hide in a Linux system. If you absolutely need root access, there have been serious privilege escalation exploits over the years. Most of the Linux systems aren't even necessarily being patched consistently. I've seen one of these privilege exploits used on many hosting companies that usually keep their systems up to date and secure too. That beside the point that it's not usual that you even need root access.

Linux is more Secure than Windows

[headkase]

Linux is a lot different than running as root all the time on Windows. My security updates are pushed to me as they are fixed, not even pushing up to a month of vulnerability to patch unlike some systems meant to make corporate IT admins happy. All popular Linux distributions have an updating function: you get your security patches and patches to everything else in your repositories a lot more consistently than Windows. To deny this shows unfamiliarity with Linux. Thats even before you get into functions like selinux and apparmor which happen to be standard on my flavor. For everyone. This is also an Adobe bug, and doesn't affect most Linux PDF readers as far as I'm aware and even if it did I'd have a lot more faith that the Linux ones would be rendered immune more globally than the hodgepodge of updating (or lack of) systems on Windows. You're pointing the finger at Linux and saying: "You're vulnerable too!" But in the practical real world it is a case of not.

Re:

[sopssa]

It's not an Adobe bug, it's a feature in the PDF specs that can be exploited with user stupidity. That's the point I've been trying to made, no OS unless it's completely locked down a la iPhone will protect you from user stupidity. Not Windows, not Linux, not BSD.

Maybe Ubuntu pushes updates itself, but Debian, Fedora and CentOS doesn't. Not for me at least, and I haven't changed anything regarding that. If you want to update, you need to type in the yum update or apt-get update commands manually. And thats

Re:Linux is more Secure than Windows

[headkase]

KPDF (now Okular) [kde.org] has specifically forbidden this behavior forever because it is a security risk. I use Okular myself so I am not vulnerable to this issue. Since it has been known so long to be a security issue in Linux-land why has Adobe allowed it so long? XPDF also is not vulnerable to this issue and so on. So it appears to be a tempest in a tea-cup for Linux and just another day on Windows.

Re:

[sopssa]

Xpdf and Okular on Windows aren't vulnerable either.
Adobe PDF Reader on Linux is vulnerable.

This goes to show that it doesn't matter which the OS is, as it's mostly about software or user stupidity. Windows and Linux are on par in this, neither one is better than the another. There is SELinux for Linux which can mitigate the issue, but there are such tools and settings for Windows too. Not that any casual user will put up with those in either system.

Re:

[headkase]

To say that Windows and Linux are on par for security borders on incredulous.

Re:

[Mister Whirly]

To pretend that one OS is inherently superior in security over another also borders on incredulous. Anytime a specific OS is mentioned in a security discussion, that person has lost the discussion, and does not understand the entire concept of security. Security isn't software. Security isn't an operating system. Security is a set of practices and policies that apply to all software and operating systems regardless of what specific type they are.

Re:

[vegiVamp]

I fully agree, and had I modpoints I'd simply add a +1 insightful to your score.

Since I haven't, though, I'd like to point out that while it is true that you can't simply equate security with a piece of software, you *can* compare how well two teams of developers (try to) adhere to those practices and policies.

I have a feeling that Linus and the people who verify kernel patches have a better track record in that than the people at Microsoft who decide that a given feature WILL BE in the next release, regard

Re:

[icebraining]

By default if you run firefox on linux/windows as a normal user, if firefox gets pwned, everything you can access as a normal user is at risk. Same for most programs you run.

This security model is decades old and crap.

Why? I just run Firefox in a different user, which doesn't have write permission to anything except a download folder. So exploiting Firefox isn't enough to get access to my files.

Re:

[chrb]

Adobe PDF Reader on Linux is vulnerable.

I never understood why people bothered with Acrobat Reader on Linux - KPDF/Okular has been smaller, faster and nicer looking for years, and it integrates better with the KDE desktop. I'd imagine the same it true of whatever Gnome uses?

Re:

[impaledsunset]

"We kpdf developers want to add it, but kde core developers won't allow it.

[...]

So unless you can convince the non believers you are not going to get that feature, sorry :-/"

Good quote from the discussion. That's how (many) people view disabling features for security reasons. The developers get to be called "non believers". How do you tell these users how bad the feature they want is? And these are geeks posting bugs, and developers, not average Joes. The average Joe might even refuse to use the more secure

Re:

[Kitkoan]

no OS unless it's completely locked down a la iPhone will protect you from user stupidity.

It's not alway user stupidity, just how the system is designed. Even a closed system like the iPhone [sophos.com] can be hacked by a third party without access to the computer itself. This exploit effected all smartphones, granted only iPhone's didn't get patched against it until 48 hours after the information about it went public.But it showed that it was possible, even given it's locked down nature.

Re:

[Red Flayer]

That's the point I've been trying to made, no OS unless it's completely locked down a la iPhone will protect you from user stupidity. Not Windows, not Linux, not BSD.

Tha'ts not the point you were trying to make in your OP. The point you were trying to make in your OP was that the exploit is worse in Linux than in Windows. I quote>

Since it's part of the PDF specs, it should work in Linux too. What's even worse than with Windows is that...

Another reason why it would be even more serious on Linux is the

Re:

[The End Of Days]

You don't run as administrator in Windows anymore, either. Security updates are likewise pushed in windows. Windows has an updating function. Your statements all show unfamiliarity with Windows.

This is not an Adobe bug, this is a vulnerability in the PDF spec. Readers not from Adobe have already been shown to be vulnerable.

Linux is not immune, despite your specious claims.

Re:

[daveime]

Why would any document markup language have an executable function at all ?

And why, if this really is "part of the PDF spec", has every single PDF reader implemented this crazy functionality ?

One time where "following standards" has fucked us all up I guess.

Re:

[afidel]

I'll give you a real world example of how this functionality is used. We used Adobe standard to export email from our Lotus Notes email system so that any legal records can be imported into our content management system, these archives are a complete copy of the email records including metadata and attachments stored within a PDF file. Clicking on an attachment in the archive opens the system default viewer for that file type. Turning this feature off would significantly reduce the functionality and user fr

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[thsths]

> You don't run as administrator in Windows anymore, either.

And how many software packages still work then? Even Firefox had serious trouble with the update function under non-admin accounts until very recently.

> Security updates are likewise pushed in windows.

Pulled, to be precise. Via an Active-X plugin, yuck.

> Windows has an updating function.

No, it does not. The update "function" is a web site that sets of 3 security warnings in IE8.

> Your statements all show unfamiliarity with Windows.

Ditto

Re:

[jawtheshark]

Try running most Windows XP software and see what happens.

I keep hearing this repeated ad infintum. Since Win XP SP2, most software got adapted so it could run as Limited user. Even game developers got the message. The Sims 2 initially came out as "Admin only". That was patched within months when people complained.

Anyway, even for non-behaving software, it is usually a matter of setting User-Write-Permissions on the folder of the misbehaving application. If that doesn't help, set User-Write-Permission

Re:

[LordLimecat]

Try running most Windows XP software and see what happens.

Yes, I recommend that to all of my clients. Some software really wants access to program files, but thats fixed with cacls on the directory. Very few programs actually need admin, even quickbooks (whose tech support guys will insist it does). And for the programs that really really need it, theres always runas; you dont need your whole shell running with admin priveleges.

It is present in Adobe Reader, it has already been patched out of FoxIt and it never existed in XPDF.

If you will read the article on this from several days ago, you will see that there was a PDF released which runs calc on windows, xcal

Re:

[shutdown -p now]

Try running most Windows XP software and see what happens.

Unless you're running software that hasn't been updated in the last 5 years, it'll work just fine. For vast majority of home users, this will be the case. For enterprises, they may have a legacy line-of-business application written in 90s that needs Administrator - however, if you use a modern Windows OS (i.e. Vista/7), you just configure that particular application to request elevation when started.

In any case, Adobe PDF reader (or any third-party reader) most definitely doesn't require admin.

Oh, and even

Re:

[headkase]

Linux build from 8 years ago? XP is still widely in use so it is fair to mention it, the average Linux build on a home computer (the target of this attack - servers have to need for Adobe Reader) are well newer than 8 years! I guess having Free updates to newer versions makes it a lot easier to stay current. His second response agreed with me. The third called me a fag. The fourth said it was a bug in the spec when every PDF viewer - except Reader - on Linux doesn't follow that part of the spec for sec

Re:

[abigor]

Nevermind that all the software on XP is broken when you're not root.

While I don't disagree with your other points, this statement is false. Nearly all widely-used XP software runs just fine under a user with limited rights, as this is how XP is run in any corporate environment.

Re:

[0ld_d0g]

Nevermind that all the software on XP is broken when you're not root.

Thats a curious way to argue against security.

"Hey I can't run all this badly written software on Windows unless I run as root, therefore Windows is insecure !"

Re:

[commodore64_love]

Puppy Linux runs on root, so it would be vulnerable.

>>>doesn't affect most Linux PDF readers as far as I'm aware

Good point.

Re:

[Pentium100]

Linux is a lot different than running as root all the time on Windows.

Let's say that there are no exploits to get root access on a Linux system. What can malware do with limited user account?

rm -rf /home/user - would work, but useless
sending spam - you don't need root access to send mail, do you?
participating in a botnet - you don't need root access to open a port and give shell to whoever is connecting.
searching user files for valuable information - would work

I don't know if a keylogger would work without root access.

So, a trojan (malware pretending to be a legitimate app) o

Re:

[gmuslera]

Usually you don't use those linux servers on hosting companies as desktops where you run acrobat reader. And desktops/notebooks/etc are usually more frequently updated (both as using new distributions or with patches available in the case you prefer to stick with a non latest version).

But anyway, you don't need root access to do most of what botnets/spambots do, with plain user access is bad enough. And targetted attacks could access most of what the user do without needing to go root neither.

Re:Linux is vulnerable too

[caffeinemessiah]

Maybe you should actually, you know,...use Linux before you attempt to troll about security.

What's even worse than with Windows is that since 'rm' is just a normal binary the PDF can launch that, and if you run as root privileges, just issue a command like "rm -rf /". If you don't run as root, then for example Ubuntu should give you the sudo box to input password to. This of course being just one of the examples it could do. Remember that most malware doesn't even need root access to function.

Nobody uses the root account in Linux for everyday activity. In Ubuntu, root login is even disabled by default (you have to sudo). So no worries about the system in general. Although it's pretty devastating to issue a "rm -rf ~" to delete the user's home directory, it's on par with Windows. Then you say that most malware doesn't even need root access to function, but on all the millions of XP boxes out there, it's already given root access by default.

Another reason why it would be even more serious on Linux is the way you can pipe commands and how most systems come pre-packaged with a ton of little utility apps. You can create the whole malware with a series of commands, or wget a bash script from the internet and start that to hide even more malware in the system.

Windows has a pipe function too, in addition to being able to zoink your whole file system with a simple "del". It also comes with ftp and telnet, which are handy replacements for wget. In short telnet+response file = download an .exe from the web = any sort of functionality you might want using Unix command line tools.

Your comment, sir, is vapid.

Re:

[Voulnet]

No one is saying Linux is about as secure as XP, but the OP is saying that because of the spreading culture among many Linux users that there is no way they can get malware, this type of attack might easily fly under the radar. No need to compare to XP because we all know it's not a fair comparison!

Re:

[idontgno]

Of course programs care what you think of them. (Or stepping away from gratuitous and confusing anthropomorphizing, the authors of such software care.)

Trojans and other automated social engineering depend on projecting trustworthiness; i.e., that the user thinks the software is both reliable and desirable. If user perceptions of software didn't matter, malware wouldn't try to trick users. They'd just say "click here to get pwned".

Until Chuck Norris manifests himself as malware, what users think of software

Re:

[Nick Number]

In short telnet+response file = download an .exe from the web = any sort of functionality you might want using Unix command line tools.

This is a minor point, as there are plenty of other malicious things you can do with a command line, but the built-in Windows telnet client doesn't support response files.

Re:

[icebraining]

The way I've seen to download files was to use tftp.exe.

Re:

[afidel]

tftp is non-routed so that won't do you much good for getting malware on a machine.

Re:

[The MAZZTer]

I'm not sure how he thinks rm is a normal binary but rmdir.exe isn't...

Your comment, sir, is vapid.

[Frosty Piss]

Nobody uses the root account in Linux for everyday activity.

Really? More than you think...

So no worries about the system in general.

Dangerous assumptions continue...

Re:

[Anonymusing]

I really don't care about the rest of your comment (one way or t'other), but "Your comment, sir, is vapid" ought to earn you a few thousand mod-ups. Thank you.

Re:

[shutdown -p now]

Nobody uses the root account in Linux for everyday activity. In Ubuntu, root login is even disabled by default (you have to sudo). So no worries about the system in general.

There is actually one way in which this can potentially be more harmful in Linux than in Windows, although GP missed that one (for all the invented stuff that he came up with). The problem is that sudo caches your credentials for a certain period of time (5 minutes by default, IIRC) after you use it for a given user account. So, if you use sudo to run something that needs it, and then exit that application, and then some malware does exec sudo shortly after, it will quietly get root.

You can disable this by

Re:

[nuckfuts]

Windows... comes with ftp and telnet...

Telnet is not available by default in Windows Vista and Windows 7, but can be enabled via "Control Panel" > "Programs and Features" > "Turn Windows features on or off".

Re:

[thuerrsch]

Well said. Also don't forget that Evince, the default pdf viewer in Gnome and in Ubuntu, is immune to this exploit, as confirmed by several comments on Didier Stevens' original announcement [didierstevens.com].

So here we have another good reason not to use Acrobat Reader on Linux (or on anything else, for that matter), but also not to trust closed-source alternatives like FoxIt. Evince is fast, efficient, easy to use, has all the necessary features, nothing more, nothing less. And hey, there's even a Windows version!

Re:

[Culture20]

Nobody uses the root account in Linux for everyday activity. In Ubuntu, root login is even disabled by default (you have to sudo).

And since sudo usually caches creds, you might still be vulnerable; or you will be when the sleep-loop malware script sees a sudo in ps and sudos right in itself.

Re:

[headkase]

even I don't always su out of root even if some command between what I'm doing doesn't require root

So how does this Adobe flaw get access to your root terminal to continue issuing commands? And if you are running your desktop session as root you are an idiot. Ubuntu doesn't even have root it has sudo and if you want to enable the root account ("sudo passwd root") you have to go out of your way to make your system insecure. The fact is that unlike Windows Linux programs are written to not require root.

Re:

[sopssa]

I suspect it uses normal exec(), just like it works in every other program.

Almost any Windows program doesn't require root/admin now a days, and if they do, it's for a reason. You can't really compare to Windows 98 and the programs from that age. If we go that route, we might as well start digging the hundreds of privilege escalation and remote exploits that Linux in its history has had.

You also don't need to run the whole desktop as root. You can launch Firefox by typing "firefox" in terminal (either in te

Re:

[headkase]

The fact remains and is insoluble right now that Windows allows root access more easily than Linux. You have to go out of your way to be root on Linux, XP (a very common operating system still in use) gives you root as a matter of course. And you can compare XP and Linux because both are commonly used right now. Vista will elevate on a whim and I'm sure 7 would too, at least with Linux when something tries to elevate you wonder why where with Windows you'd be right the majority of the time just assuming

Re:

[LordLimecat]

You have to go out of your way to be root on Vista and 7, so Im not sure what your point is.

Re:

[weicco]

As already said, malware doesn't need to run as root or Administrator.

But then it comes to sudo prompt / UAC. How are you going to educate old granny not to enter root/admin password when OS asks for it unless there a valid need for it? Heck, I've playing and working with computers (C64, C128, Amiga, PC Windows/Linux/BSD, Sparc/Solaris etc. etc.) for 25 years now and even I can't always tell when UAC (yes, I'm using Vista currently) prompt is valid or not! Just yesterday some Java-piece-of-crap asked for ad

Re:

[dAzED1]

there is absolutely, positively, no one that "do[es] it for convenience" with any distro released in the last bloody decade that has any statistically relevant user base. Every little tool along the way would complain about you being root, nagging you until the easiest thing to do is to just log in as a regular user.

Re:

[shutdown -p now]

"del" is a Windows command, not an application. It doesn't work the same way.

Do you mean "cmd.exe command"? It's true, but what does it matter, if you can just do "cmd.exe /c del /s /q c:\*.*", and get the same effect?

Re:

[Voulnet]

So it's about time Linux users get down to earth and learn "It's not the system, it's the user" the hard way?

Re:

[shutdown -p now]

Since it's part of the PDF specs, it should work in Linux too. What's even worse than with Windows is that since 'rm' is just a normal binary the PDF can launch that, and if you run as root privileges, just issue a command like "rm -rf /".

In Windows, the PDF can launch cmd.exe, passing it the commands to execute as parameters (with /c), so nothing changes.

... if you run as root privileges, just issue a command like "rm -rf /". If you don't run as root, then for example Ubuntu should give you the sudo box to input password to.

Have you ever actually used Ubuntu?

No, you won't get a sudo box if you run "rm -rf /" on an account which doesn't have permission. You'll get "permission denied", exactly the same as if you'd try "rmdir /s C:\Windows" from non-admin in Windows.

There's no auto-elevation, neither in Windows nor in Unix. The program has to be explicitly coded to request the OS service (UAC or gksudo) to pop u

Re:

[jank1887]

just curious, what version of PDF did this become default behavior? Sounds like it's time to roll PDF back a few versions. I can live without active PDF content and fillable forms that remember my previous text input.

Re:

[Kitkoan]

Linux may be vulnerable too, if your running the Linux version of Adobe Reader which you would have to go out and get on your own. Every version of Linux I have tried has an open source PDF reader that isn't Adobe's. As for the Firefox exploit, FTA it states that the Firefox must be running the addon Foxit and I'm not sure how common that is.

Though I highly agree with you that Linux users shouldn't believe that Linux can't get malware. It's more unlikely of the 3 major OS's (Windows, OSX, Linux), but that d

Re:

[randallman]

Since most Linux systems dont even have the kind of application firewalls or antiviruses that Windows does, and because the Internet accessing is actually done via wget, they don't even get any kind of a "Give internet access to this application?" dialog.

These things slow your computer down and make using applications annoying. They exist on Windows because of the massive problem of malware on Windows. They do not exist on Linux because in general, malware on Linux is not a problem. You can speculate as to why, but that's the way it is. Where real problems exist with Linux, like rootkits, solutions exist (e.g. chkrootkit). If viruses and such get to be a problem, solutions will appear. At the moment virus scanners and outgoing firewall prompts are no

Re:

[h4rr4r]

If you run a pdf reader app as root you deserve what you get.

Re:

[randallman]

Virus scanners and outgoing firewalls are a crummy way to handle these threats. Linux handles them in a better way [wikipedia.org]

Re:

[Lunix Nutcase]

Except that it has been shown to not work on other PDF readers than Acrobat.

The exploit affects Foxit as well as Adobe Acrobat software.

Re:

[LordLimecat]

It also affects PDF X-change, tho with a prompt

Re:

[gzipped_tar]

> so it all boils down to how knowledgeable the user is about security

But you're the one who brought up this "Linux makes creating malware handier and stealthier" argument, and you're now resorting to the same old, tiring "user incompetence" excuse?

And did you just pulled that argument from your ass, or have you actually worked on malware on Linux, Windows and Mac OS X and compared them before making that post?

And yes, some people are creating a false sense of security around Linux. But aren't you creati

Re:

[0123456]

But SELinux is pain in the ass and generally disabled on every desktop oriented Linux distro like Ubuntu..

SELinux works fine in Redhat, at least to the extent that I've used it.

However, Ubuntu has Apparmor instead, and I believe they use it to wrap the PDF viewers by default. So even if this exploit works with some Linux PDF viewer it will probably not be allowed to execute arbitrary application files or modify arbitrary disk files on Ubuntu... making it far less effective.

Re:

[Volante3192]

They do? Then why is it I have to regularly cleanup malware on user accounts that are not running as admin?

(Fortunatly, the cleanup is nice: log in under another restricted user account, elevate, copy over their docs and desktop, then blow out their profile folder entire. It's beautiful.)

Re:

[reub2000]

What? I frequently convert openoffice and latex files to pdf on linux.

Solution

[abigsmurf]

Have the dialogue control specify that you are potentially allowing the PDF to alter other documents (maliciously or otherwise).

It's not exactly the first time a method of using social engineering to trick people has been part of a standard. Altering the status bar in JavaScript in order to aid phishing attacks was one.

Re:Solution

[Yvanhoe]

The attack requires the user of the computer to allow the code to be executed by agreeing to it via a dialog box. However, the attacker could at least partially control the content of the dialog box that appears to prompt the user to launch the executable and thus use social engineering to entice the computer user to agree to execute the malware, said Conway.

Solution : stop accepting that documents should execute binaries in order to display properly.

Re:

[robot256]

It's just PDF 2.0... You can't have 2.0 without executable code. If it doesn't move, it's so pre 2.0.

So, is this no longer a problem in France? [slashdot.org]

Re:

[abigsmurf]

Which is why you ensure programs display a fixed message for (or in addition to) these dialogs so it's impossible to mislead the user.

Dupe Dupe

[Nerdfest]

I believe this exploit has already been patched in FoxIT, assuming this is the same exploit descibed here on SlashDot 2 weeks ago. Strangely, I haven't seen an update from Adobe ...

Re:

[sopssa]

Yes, Foxit patched it last week. It uses the same technique so the Foxit patch should work, but this new "exploit" just takes it a bit further in that the malware can be embedded in the PDF file.

Re:

[lahvak]

I am not completely sure, as I don't use foxit, but if I remember correctly, the problem with the last exploit on foxit was that it executed the binary without a dialog box. Adobe reader asked user to confirm with a dialog box. In my opinion something like that is not a vulnerability, so adobe had nothing to patch.

Re:Dupe Dupe

[phayes]

Yes, foxit has patched the vuln: http://forums.foxitsoftware.com//showthread.php?t=18044 [foxitsoftware.com]

Or maybe they didn't fix it...

[WD]

At least according to Didier:
http://blog.didierstevens.com/2010/04/06/update-escape-from-pdf/ [didierstevens.com]

Microsoft to Blame

[MyLongNickName]

As has alreay been pointed out, the worst this "exploit" can do is elevate to the same rights as the user. As anyone with a CS degree (or even any true IT experience) would know, these rights should be limited.

Now, Microsoft has for DECADES pushed the paradigm of giving the user administrative rights. Sure, they are making solf half-hearted attempts now to change this. But they created an environment of 3rd party software relying on this full rights model... and it is biting us all on the butt.

So, as usual,

Re:

[sopssa]

Most malware doesn't need root/admin access. It's only needed if you want to pwn or hack the server. Malware on the other hand runs just happily in userland too.

Re:

[Abcd1234]

As has alreay been pointed out, the worst this "exploit" can do is elevate to the same rights as the user.

Yeah, and then you're just a local privilege exploit away from being fully owned.

And this is ignoring the fact that malicious users can do plenty with a non-privileged account (here's hoping you don't store any sensitive information unencrypted in your home directory).

Re:

[shutdown -p now]

Now, Microsoft has for DECADES pushed the paradigm of giving the user administrative rights.

Since you're apparently unaware of the fact, this paradigm was a de facto standard on all home desktop OSes in the 90s. MacOS was not any different, and even Unix-like OSes that were explicitly desktop-oriented used root by default (e.g. BeOS).

Google Docs

[areusche]

Screw adobe and other client side PDF readers. Am I vulnerable if I use Google's PDF viewer to view PDFs?t

for more info

[bl8n8r]

A little better than the crummy cnet write-up. http://blog.didierstevens.com/ [didierstevens.com]

pdftotext

[Curmudgeonlyoldbloke]

Presumably xpdf's "pdftotext" isn't vulnerable?

"Security firm"

[Spyware23]

"More woes for Adobe [i]as security firm[/i] creates proof-of-concept attack that injects"

"As security firm"? Who does the article mean, Jeremy Conway of NitroSecurity, or Didier Stevens, working for Contraste Europe? Also, it would've been nice if the article linked to an article Jeremy wrote titled "Implications of Recent PDF /Launch Hacks", this article can be found here: http://siemblog.com/2010/04/implications-of-recent-pdf-launch-hacks/ [siemblog.com]

Dupe

[MobyDisk]

Dupe from Slashdot, March 31st [slashdot.org]

Does it use a single code base ...

[lwriemen]

... to run multi-platform? >;->

http://developers.slashdot.org/story/10/04/04/1627226/Multi-Platform-App-Created-Using-Single-Code-Base [slashdot.org]

OT: Do non-Adobe PDF apps less vulnerable?

[guanxi]

Would switching to a non-Adobe PDF viewer make you safer? I understand this exploit affects Foxit, but there are many other exploits and PDF viewers (MacOS X's Preview, Ghostview/GSView, CutePDF, Nitro, etc.).

Usually the headline says the exploits are in Acrobat; and given Adobe's much larger installed base, they are a much more likely target; but perhaps the exploits are really in PDFs (or JavaScript) in general.

Re:

[Skuld-Chan]

Actually in this case - foxit just runs the exe without displaying the "do you really want to open this" warning Reader gives you.

Not really an exploit...

[Skuld-Chan]

This feature is in the PDF specification, and in fact in the youtube video you'll notice that the trust manager warning is pretty severe "only do this if you trust the PDF" sort of thing.

To me its akin to downloading an EXE from a website with a browser and clicking the open button...

Re:

[Yvan256]

Why does a document format need to have the ability to external executable files in the first place?

Re:Drop it like the disease it is

[abigsmurf]

You clearly didn't read the article or even the summary. This exploit affects Foxit too. It's an exploit of the PDF standard itself

Re:Drop it like the disease it is

[Anonymous Coward]

You clearly didn't read the last week's Slashdot article [slashdot.org]. This exploit is already fixed in Foxit. [foxitsoftware.com]

Re:

[Duradin]

Doesn't the summary mention that Foxit is vulnerable to it as well?

"The exploit affects Foxit as well as Adobe Acrobat software."

Re:

[clone53421]

As it’s apparently a standard PDF feature, giving it a shot to run whatever command line its author desires...

Yeah, it would affect anything that supported that feature.

Note that the clean pdf, after it is infected, pops up the window asking to run “firefox.exe sudosecure.net”. I’m not sure exactly how he did it, but note that there is a huge mass of text (judging from the scrollbar) above the “it’s okay, let me do this” message in the evil pdf. He’d have to s

Re:

[mister_playboy]

The summary is inaccurate. Foxit has already patched this problem in the current version.

Re:

[Tridus]

Because some genius thought that it was a great idea to put a launch command in the PDF spec.

Seems like it's working as intended.

Re:Code, meet data

[Animats]

Because some genius thought that it was a great idea to put a launch command in the PDF spec.

Yes. That should formally be removed from the ISO standard.

I tried the proof of concept code in SumatraPDF, and it didn't work. But may be a bug in SumatraPDF; there's an error message about a sync file failure.

Re:

[commodore64_love]

>>>Reading a lone pdf once in a while isn't worth having a massive security flaw

If only that were true. I encounter a PDF at least once a day. Just an hour ago I was reading a PDF about my college homecoming. If it had been possible to get the information some other way, I would have, but they only provided the giant poster in PDF form. - And earlier this morning I encountered a PDF while looking for Lubuntu (lean ubuntu) information.

So uninstalling a PDF Reader isn't really practical.

Re:

[icebraining]

Why? Just disable the PDF reader plugin, and download & open the files you actually need and trust. Or just install NoScript, which will disable *all* plugin until you explicitly click the frame to activate them.

NoScript 3

Re:

[Zironic]

Only that the hole in the roof is a requested feature, without which they wouldn't be able to sell their operating system (backwards compatibility).

Re:

[mcgrew]

My car has a hole in its roof called a "sunroof", but I can close it with the touch of a button. If it rains in, that's my fault, not the car manufacturer. But a Windows sunroof won't close, and that's Windows' fault.

Being a multi-billion dollar company whose OS is installed on almost every computer sold, Microsoft has the wherewithall to create a secure, backwards compatible OS. The thing is, they don't have to because their OS is installed on almost every computer sold. There's no incentive for them to d

Re:

[shutdown -p now]

As others may have stated -- but I definitely want to underline -- the broken security model of Microsoft Windows causes significant potential for harm by this exploit.

So far, no-one has explained how Windows is any more vulnerable to this exploit, unless running under an administrative account (which hasn't been the default for the last 2 major OS releases).

So, care to explain what is "broken" about Windows
security model vis-a-vis Unix one?

Re:

[Cro Magnon]

Between the format wars (.doc, .docx, open office .doc, .odt, etc) and between the HTML / Browser standards (ie6, ie7, ie8, firefox, safari, opera, etc), PDF seems to be the only consistent way to view things across all OS's. Sadly, it's very useful for that reason...

There's always txt files. They might be ugly and no bells/whistles, but AFAIK, nobody's ever gotten infected by one.

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[colinrichardday]

TeX/LaTeX. You can even convert to pdf.