Foxit One-Ups Adobe In Blocking PDF Attack Tactics 112
CWmike writes "Foxit Software, the developer of a rival PDF viewer to Adobe's vulnerability-plagued Reader, released an update on Tuesday that blocks some attacks with a 'safe mode' that's switched on by default. Foxit Reader 3.3 for Windows' 'Trust Manager' blocks all external commands that may be tucked into a PDF document. 'The Foxit Reader 3.3 enables users to allow or deny unauthorized actions and data transmission, including URL connection, attachment PDF actions, and JavaScript functions,' the update's accompanying text explains. Last week, several security companies warned of a major malware campaign that tried to dupe users into opening rigged PDFs that exploited an unpatched design flaw in the PDF format, one attackers could use to infect users of Adobe's and Foxit's software. That flaw in the PDF specification's '/Launch' function was disclosed in late March by Belgium security researcher Didier Stevens, who demonstrated how he could abuse the feature to run malware embedded in a PDF document. He also reported he had figured out how to change Adobe Reader's warning to enhance the scam."
If Foxit Can Do It ... (Score:5, Funny)
Re: (Score:1)
This is explains why I avoid Abobe * like the plague.
Me too. He [google.com] has a wicked strong uppercut. Thankfully, he doesn't pay attention when he's on a conveyor belt whose end leads to a bottomless pit.
Re: (Score:2)
This is explains why I avoid Abobe * like the plague.
Me too. He [google.com] has a wicked strong uppercut. Thankfully, he doesn't pay attention when he's on a conveyor belt whose end leads to a bottomless pit.
Who the hell designs a conveyor belt that leads into a bottomless pit, anyway? Seriously, someone needs to examine the CPE seal on those plans....
Re:If Foxit Can Do It ... (Score:4, Interesting)
Re: (Score:1)
Citation please? Proof?
Re:If Foxit Can Do It ... (Score:4, Interesting)
Foxit has something to gain from this. For a long time, Adobe only had money to lose by spending anything on their dominant reader that you *had* to use. It appears they haven't lost that mindset.
Re: (Score:3, Interesting)
Adobe has the mindset of a monopolist. In their markets they often are. There support is shoddy to non-existent and their innovation is down. A few years back to cement their position with their graphics tools as dominant (Photoshop et. al), they started requiring those wishing to develop plug-ins to adopt exclusive licensing with Adobe, where adobe could halt sales of their plug-in with any other competing product, if it was determined that it out-performed adobe's product. Most plugin developers don't
Re: (Score:2)
Yeah, terrible that - Big Nasty Corporation Adobe stealing the free and open source work of some tiny little printing company, then claiming that it was all their own work and never allowing anyone else to even breath the initials of the product without paying their fist born child as a licensing fee.
Someone has forgotten what happened in the 1980s.
Re: (Score:2)
They didn't have to test it against 25+ different languages and 30+ different platforms (yes you read that right - if you think about every single version of Windows (server versions both x86/x64), Mac OS/X Linux and Solaris).
Re:If Foxit Can Do It ... (Score:4, Insightful)
But since the average amount of registry entries is around 100,000 and the average amount of files is around what, 50,000? (Not even counting different versions and different configuration file entries), wouldn’t that mean
230 * 100,000 * 50,000 = 150 trillion "different platforms" or 25 * 150 trillion = 3,75 quadrillion different configurations? ;)
Or is it just, that when you make not really different setups count (like languages, which are not part of the code to test in such multilingual apps, or not actually different versions of Windows or Linux), that you can come up with whatever insane number you want? ;)
Re: (Score:2, Interesting)
Indeed, one of my mac users was sent a PDF that had been marked up with Foxit by a volunteer. The markup only shows in Foxit reader, which is only available on Windows. A complete waste of the volunteer's time.
- RG>
Re: (Score:1)
Re: (Score:1)
Foxit's markup does not appear in Preview on OS X, nor did it appear in Adobe Acrobat Pro 8 or 9. My colleague was entirely unable to read the markup made to the PDF in Foxit (which kind of defeats the purpose of a published standard format).
- RG>
Re: (Score:2)
That's too bad. I had a printing project that required me to place two pages on a certain fixed page size. You think something like this would be trivial to do with acrobat, but NOOOOOOO the only way to do it is to have it resize the pages to fit the overall page. I wanted the pages to stay to a fixed size. This was impossible with acrobat and there were hundreds of pages, so laying them all down in illustrator was out of the question. I downloaded foxit and it had way better print options than adobe. I don
Re: (Score:1)
You can make your minds up why Adobe didnt come up with this, or if they even tried.
Re: (Score:2)
Talking about adobe losing the ball on this one, I will now force all my clients to upgrade to foxit and uninstall any readers coming from adobe, even if they are paid licenses for it.
Evince (Score:2)
I think you're all asking the same question I am. Is evince susceptible?
Re: (Score:2)
Re: (Score:1, Interesting)
... or xpdf...
Re: (Score:2)
My current PDF viewer is Zathura [pwmt.org]. Same engine as evince, but wicked fast and mouseless!
Re: (Score:2)
I've been using okular lately (uh.. ex-kpdf).
I'm not sure if they fixed it, but evince had a bug where it wouldn't anti-alias on B&W stuff, which led to major eye-bleeding when reading non OCR'd scans. Hence the switch.
This was on debian (squeeze), not sure if it was limited to their package, or if it is/was all evince of that build. Guess I could try compiling the latest version and see what happens. But I've gotten used to okular in the mean time, I think I prefer it now.
I'm assuming the linux ones ar
Re: (Score:2)
Actually, now that I think about it, maybe the bug was with poppler? I think they both use it though. Not sure now.
Re: (Score:1)
Hey! This thing has code! Were you expecting that? (Score:5, Insightful)
They used to say there was no way an image file or text doc could spread a computer virus... then buffer overruns were discovered in image handlers, and Microsoft added VBA macros that basically had the full power of Visual Basic at its disposal to Office, and away it went!
Now, I make my living writing Visual Basic, so there's no way I want to see VBA going away. Still there needs to be some safety to prevent a VBA macro from using unknowing users' computers from flooding the Internet with useless traffic... and the solution is pretty simple: If an Office doc contains VBA code, a warning is shown to the user asking them if they trust the source of the file, and would like the code to be enabled. If the user declined, macros won't run but users can see the static content in the file.
So.. that's the solution being employed here. They're effectively saying "Hey, this PDF is using network functionality, do you trust it to do that?" That should shut off the threat vector while still allowing the functionality to be used in trustworthy situations... why isn't this something in Adobe's official reader yet?
Re:Hey! This thing has code! Were you expecting th (Score:5, Insightful)
The only problem with all that is that most users just shrug and say, um, sure -> OK.
IMHO, for corporate use anyway, Foxit should add some way to leave the default "don't let
it run" enabled and prevent users from turning it off. Just to give us poor, overworked
sysadmins a way to prevent non-root/non-Administrator user "Just click OK" (TM) syndrome.
I believe MS does provide a way to handle the VBA situation you described but it's been
a while so not 100% sure
Re: (Score:2)
You've hit the nail on the head here. One of my users received a particularly well crafted email from "me" today asking her to download a patch for Adobe products. It even included what looked to be a forwarded conversation from our CEO. Had she not co .to domain. Typical users don't look for warning signs like that.
e to me asking a question about the instructions, she could very well have infected her machine. Nevermi d that the link was to a
Re: (Score:2, Funny)
Ar
e you sure that some of your mac hines aren't alr
eady
in fect
ed?
Re: (Score:2)
It's this fucking iPhone keyboard. I know, I know. I should have previewed. I don't care what anybody says about the iPhone keyboard. My personal phone has a QWERTY keyboard with real buttons and I am much faster and more accurate on that thing. If only it could browse /. without shitting a brick.
Re: (Score:2)
And that's a save for the "Um, you're doing something odd here... are you sure?" system. That extra dialog box most likely prompted the question to you, which saved the day. Yeah, the IT admin might want the control to Just assume the user clicked "No!"... but I don't know the number of times where the IT guys have locked out the custom code I was paid by them to develop because it tripped a "changed .exe" flag. Yes, I'm the developer and you own the software... yes, I think we can trust that changed .exe f
Re: (Score:1, Insightful)
One idea is with Acrobat itself. If there is a need to run code or fill a PDF form, the PDF should be signed. Verisign isn't perfect, but in general, if their cert says that a PDF came from a company, it did, and if there is an exploit, fingers can definitely be pointed in that direction.
At the minimum, unsigned PDFs should not be allowed to run scripts. If the user wants to run scripts, he or she will need to explicitly turn the functionality on.
Voila. Problem taken care of. Companies can have their i
Re: (Score:2)
Re: (Score:2)
Actually, we use Google mail for our mail services but with an on-site SMTP server for our multi-function scanners which don't support SSL. I do subscribe to Postini, and until we made the switch to Google Mail I did have a filter in place to drop anything from *@mydomain.com, but after switching to Google mail, the result was that any emails from the SMTP server on our LAN were dropped by Postini since they traverse outside of our Google mail domain. If our bloody multi-functions would support connecting
Re: (Score:2)
Re: (Score:1, Interesting)
It...won't work. Users are stupid. Not the programmers. The users.
Do you trust the source of this? "Sure, I trust Chuck not to forward me a virus" Of course, they never think that chuck is forwarding Anna K nekkid pics from Bob, who got it from Albert, who got it from Zed, who got it from Debby...
And of course, they'd never contemplate it might not actually be Chuck that sent it, but a virus Chuck opened up and scanned his inbox or address books. And that's just using issues that hit the streets over
Re: (Score:3, Funny)
Re: (Score:2)
Yeah, there should be some sort of "You can trust us, we're your textbook author and we included VBA macros in order to..." note somewhere in the book near the first introduction. Then again, if they were using VBA to prevent copying by students and not telling them about it, then that textbook should be burned.
Re: (Score:2)
The VBA macros were probably being used to actually implement the example. I have seen far too many people (including academics) who think using Access to design a full database UI is a good idea.
Re: (Score:3, Funny)
Now, I make my living writing Visual Basic...
And you freely admit it here?... ;)
Re:Hey! This thing has code! Were you expecting th (Score:1)
But that fails when everyone wants to start using this functionality, and a user has to constantly click allow. Regardless, how are end-users going to know what all this means? They just want to view the document. I think the failure is in even allowing executable co
Re: (Score:2)
Everybody on Windows uses .exe functionality... and this kind of thing is the basis for allowing or disallowing network connections from suspect applications. It's a last line of defense against newly discovered threats, and works well in combination with Anti-virus which can stop known threats, but has no way of knowing about today's new threat.
Re: (Score:3, Insightful)
There simply should not be active content in a PDF. PDF means "portable document format", not "program-distribution file". I believe the sane specification is called PDF/A (A for "archive"): No external references, no active content (no scripting, no video, no audio, no actions), no encryption, no blocking print or copy. PDF readers should have a simple preferences toggle: [x] restrict to PDF/A subset.
Re: (Score:2)
Trouble is, though, Adobe has very little incentive to stick to that(if some customer demands it, they obviously have an incentive to be able to emit sane PDF/A; but not much to stop there). Since the core, sane, bits of PDF are a royalty free standard, and Reader is free as in beer, Adobe only makes money if people buy the expensive versions of Acrob
Re: (Score:2)
Re: (Score:3, Insightful)
Still there needs to be some safety to prevent a VBA macro from using unknowing users' computers from flooding the Internet with useless traffic
Yes, it's called a sandbox. Let the VBA code run in a very limited environment, specifically don't let it access the filesystem or the internet. What's so hard about that?
and the solution is pretty simple: If an Office doc contains VBA code, a warning is shown to the user asking them if they trust the source of the file
You've never actually watched people other th
Re: (Score:2)
Because most people have no idea that there can be threats inside of PDFs and this kind of pop-up would only alert them that there could be a danger. Who wants that kind of publicity?
Re: (Score:2)
NO!
The solution is not to give choice of "run" / "don't run at all" where "run" means "run with full privileges - bloody hell, let's give administrator while we are at it!".
Why, after who know how many years of Java, cannot there be a sandbox?
Re: (Score:2)
Re: (Score:2)
Then you get a specific pop-up telling exactly what is going to happen, "script requires read access to file personal.txt" or "to open a socket to blackhat.cn".
Not "do you want to run ... tough luck, you are now pwned".
Re: (Score:1)
You see, the issue is that Adobe's reader ALREADY HAS this protection. It always did! Try reading the "researcher's" (notice the quotes) so-called attack, use a version of Adobe Reader however old, and see how it works - guess what, you get a warning telling you that the PDF is trying to execute code and you should only allow it in case you trust it.
Read the report people, this is a non-issue where Adobe's name was only mentioned because it is fashionable to bash Adobe for whatever "security" issues (saying
Why wasn't this implemented from day one? (Score:5, Insightful)
Re: (Score:2, Interesting)
Re: (Score:1)
It was implemented from day 1. Version 1.0 of PDF didn't have any ability to launch programs. Then, around day 1000, Adobe decided to turn it into a "platform" instead of a document format, and introduced this sort of problem.
Sort of... (Score:3)
"It doesn't disable JavaScript entirely," Xiong said. "It only partially disables JavaScript."
That line really bothers me. How many times before have ways been found around things like SQL sanitization procedures? Why not block ALL javascript unless it's explicitly enabled? I can't believe that they would let that go.
Re: (Score:3, Informative)
-Extremely few-, if you're talking about correct SQL management. The only one that comes to mind among serious RDBMSs (DB2, Sybase, SQL Server, Oracle, Postgres...) was a datatype exploit in Oracle that only worked locally, AND was more theoritical than anything.
Parameterized queries (the only good way of handling "sql sanitization") are virtually flawless. Now, if you're talking about stri
Re: (Score:2)
Now, if you're talking about string escaping, as is very popular on PHP/MYSQL stacks...well, yeah, thats swiss cheeze, dangerous, and bad practice (and unfortunately extremely popular)
So why is the obvious Wrong Way To Do It so popular? Or perhaps more to the point, why is the Right Way To Do It apparently so off-putting to developers that it doesn't get used? And is there a Better Right Way To Do It?
Re: (Score:2)
Misinformation and historical reasons. Urban legends, pretty much. And the fact that the technology on which a lot of people learnt to program didnt support it for a long time (even though everything else did).
Nothing more, really.
Re: (Score:2)
Because there are huge number of JavaScript methods that cannot, if properly written, cause any problems.
Why not allow only them?
Adobe is down down down (Score:5, Informative)
Is it a coincidence that I read that Adobe is losing the grip on PDF just a few days after I read Job's "Thoughts on Flash [apple.com]", essentially dumping Flash from iPhones/iPads, and burning it at a stake? Or is Adobe's strategy really failing spectacularly before our own eyes?
I should've seen it coming -- I haven't used Acrobat Reader for years. PDF Xchange Viewer [docu-track.com] is my current favorite, though Foxit was my first off-Adobe alternative, back when.
Re: (Score:2)
"Losing the grip on PDF"? Sort of alarmist there, don't you think?
The only reason it seems like this is because, perhaps unconsciously (but perhaps not), editors tend to clear stories that seem to form a narrative. Regardless of the narrative existing or not.
Re: (Score:2)
Re: (Score:3, Insightful)
Re: (Score:3, Interesting)
Re: (Score:1, Informative)
I'll probably need to get a Core i7 box because I NEED Photoshop
No you don't. I'm sure I read somewhere that newer versions of Photoshop support hardware acceleration using recent GPU's (Nvidia 8x 9x) either directly or through a plugin (I'm pretty sure Nvidia made a plugin for Photoshop to make use of CUDA).
Re: (Score:2)
Re: (Score:2)
Its directly integrated. In CS4 it is mostly used for image display and smooth zooming, but can be nice with a modestly fast gpu. I like how you can grab the image and slide it across the screen and release the mouse and it will keep on smoothly scrolling until you click again or it decelerates. I'm sure they included more stuff in CS5, but I have yet to see that in action. I find for CS4 a quad core athlon seems fine. Memory is really the bigger issue, and the more the merrier, though I regularly manipulat
Re: (Score:2)
How can you lose the grip on PDF when its a fully published spec, and an accepted ISO standard (several of them)?
pdf's are great for linking to layout large prints (Score:1)
Safe computing? (Score:4, Insightful)
The problem is that the PDF specification was created at a point in time when you had a reasonable expectation that software would not do bad things to your computer intentionally.
A method to invoke an external program was put there for flexibility I am sure and it did offer a reasonable way to extend the functionality of the PDF document structure. The same thing is in WinHelp, for exactly the same reason. It allows a "tutortial" document that by clicking on active parts would invoke external programs to do things.
Now we have a situation where virtually nothing can be trusted to do what it is claiming to do. If you get an email with a file with any sort of active content in it you can assume that it will do something bad.
Where 15 years ago "active content" was something to be desired and provided extensability, today "active content" is a way to compromise computers and steal from people. A significant problem for Adobe (and plenty of others) is how to eliminate the possibility of bad things happening with active content while retaining the functionality? Today, I would say active content has to go, period. Anyone that is using and relying this needs to change their methods.
It is a pity that we have to give up flexibility and extensability because of criminals that we cannot or will not police.
Re: (Score:2)
The problem is that the PDF specification was created at a point in time when you had a reasonable expectation that software would not do bad things to your computer intentionally.
I had my first Amiga virus in about 1987, quite a few years before PDF came around (and certainly many years before they added JavaScript to the PDF standard).
Re:FoxIt for Linux? (Score:5, Informative)
Re: (Score:1)
This is what happens when a Ubuntu user does not find a software package in the integrated package manager.
Anyone try this out?
I have awful luck with XPDF, and the default reader. I will not touch Adobe on Linux...
Re: (Score:2)
*ahem* [foxitsoftware.com].
Re: (Score:2)
No 64-bit build. =\ Bummer.
Re: (Score:1)
Re: (Score:3, Informative)
Just install Xpdf/evince and be happy. You don't need embedded crap in your documents.
And if cross-platform is what you're worried about, install evince on Windows. http://download.gnome.org/binaries/win32/evince/2.30/evince-2.30.0.msi [gnome.org]
Replace PDF with PTF (Score:2, Funny)
Plain Text Format!
Even companies such as Adobe, Microsoft, and Apple with joint efforts could eventually make TXT format readers that have next-to-0 security holes. :)
Re: (Score:2)
I'm a big fan of plain text myself.
But there are a lot of times when ASCII art doesn't cut it.
Re: (Score:1, Insightful)
This is why PDF should be abandoned (Score:3, Insightful)
There is absolutely no excuse for using PDF unless you need the Flashy extra features like forms. As a device-independent printable format, PostScript and DVI are superior as well as devoid of code execution or networking features.
We've almost taught people not to send Office documents in emails - next step, eradicate PDFs.
Re: (Score:2)
[I haven't actually gone and Google'd the answer to my own question yet, so mod me down if you will, but I'll take personal advice any day over a blind Google search]
Re: (Score:2)
Re:This is why PDF should be abandoned (Score:4, Informative)
Re: (Score:2)
Re: (Score:2)
DVI? No. One word: fonts.
The "P" in PDF stands for portable. You don't replace that with DVI.
Re: (Score:2)
There is absolutely no excuse for using PDF unless you need the Flashy extra features like forms. As a device-independent printable format, PostScript and DVI are superior as well as devoid of code execution or networking features.
Ironically, PostScript is a full programming language. Does it count as networking, if there are web servers written in it?
Re: (Score:1)
DVI doesn't include images or font embedding. It really would not work well, unless you wanted to package everything up in a tarball or similar, which would quickly become rather large and unwieldy.
What I really want to know is... (Score:3, Insightful)
Are most exploits in PDF/Javascript or in Acrobat? (Score:2)
You read about many exploits in Acrobat, but are they really exploits in the PDF format and/or JavaScript? What I'm really getting at is, does using an alternative PDF viewer (such as Foxit, Nitro, or MacOS X Preview) protect you from most exploits?
I've asked this question in a few places and tried to do some research on it, but I haven't found much relevant info at all.
Since I can't change behavior... (Score:5, Informative)
would someone please post a link to (or create) .. (Score:1)
a script or scanner I can point my directory of PDFs too? PDFs are a great attack vector when you have tons of IT folk downloading programming and sysadmin related ebooks ...