bit-tech.net

New PDF flaw doesn't need JavaScript

New PDF flaw doesn't need JavaScript

This latest vulnerability in PDF reading software doesn't rely on JavaScript - and even affects Foxit Reader.

A new vulnerability in PDF readers is being exploited by ne'er-do-wells - but this one doesn't require JavaScript to be enabled in order to take control of your PC.

According to an article published over on CNET the new vulnerability was first spotted by Didier Stevens and further developed by NitroSecurity's Jeremy Conway, who was able to create proof-of-concept code which was able to attack a system simply by fooling a user into accepting a single dialog box following the opening of a malicious PDF.

The attack makes use of the 'incremental update' feature of the PDF standard, and unlike previous attacks can operate even if the JavaScript engine is disabled in the PDF viewer's options.

The news isn't just bad for Adobe, however - and those who recommend switching to alternatives to Adobe's Reader PDF viewer should take note - as the popular Foxit Reader PDF viewer is also vulnerable to this particular attack. In fact, Stevens explains that "in this case, Foxit Reader is probably worse than Adobe Reader, because no warning [dialog] gets displayed to prevent the launch action."

So far, neither company has provided a patch to mitigate this particular attack, although both are investigating the issue.

Are you disappointed to see yet another attack against the PDF format, or are you just shocked to see that this time it's not JavaScript related - or limited to Adobe's software? Share your thoughts over in the forums.

12 Comments

Discuss in the forums Reply
eddtox 7th April 2010, 14:39 Quote
No surprise here. Just like windows, the PDF standard is a victim of its own success. I do hope they fix this soon, though.
cjoyce1980 7th April 2010, 15:19 Quote
Quote:
Originally Posted by eddtox
No surprise here. Just like windows, the PDF standard is a victim of its own success. I do hope they fix this soon, though.

....and the same with OSX 10.6 and firefox.

the problem with developers now is that they never apply aggressive programming development any more, because they can always fix it with a patch later.

image getting a buggy PC/SNES/Mega Drive game back in the 90's! you would go nuts a the store and demand your money back.

now software development is just like the american society! we can fix everything with a pill! or a patch in softwares case :)
Tulatin 7th April 2010, 19:46 Quote
I would think it's fairly hard to program something that's bulletproof when there's incentive for millions of crackers out there to find holes in the cheese.
feedayeen 7th April 2010, 20:43 Quote
Nah, it shouldn't be that hard. If you perform proper input validation by treating the contents as data, it will have no impact on the rest of the program. Adobe's problem appears to be feature creep because every year they need to find a new excuse for people to rebuy their products and upgrade. The Portable Document File should never have supported executable code. If you keep it limited to text, images, formating,and hyperlinks, the format would be completely safe provided that proper data validation is performed with the only danger being users clicking on a link leading them to a bad site where they then download the bad stuff. But at that point, it is the user's or web browser's fault, not Adobe's anyways.
Redbeaver 7th April 2010, 21:08 Quote
Quote:
Originally Posted by Tulatin
I would think it's fairly hard to program something that's bulletproof when there's incentive for millions of crackers out there to find holes in the cheese.

pretty much saying
Quote:
Originally Posted by eddtox
No surprise here. Just like windows, the PDF standard is a victim of its own success. I do hope they fix this soon, though.


which i agree.

and in fact, it became too cumbersome for me to keep up with all these relatively minor exploits... that id rather find a more effective, manageable fixer-upper solution to deal with damage (if being done at all)
airchie 7th April 2010, 23:07 Quote
Kinda highlights the problem with bloatware and rapid development. :/
aussiebear 7th April 2010, 23:07 Quote
Quote:
Originally Posted by eddtox
No surprise here. Just like windows, the PDF standard is a victim of its own success. I do hope they fix this soon, though.

Its nothing to do with popularity. => DO NOT fall for this trivial excuse created by marketing departments of corporations! They use it to deflect away blame and responsibility!

...Both suffer from the same issue: Poor design/implementation/default settings.

(1) Windows
Throughout Windows's life time, this has never changed. From 1985 to today...Allow-by-default. It has created several generations of computer users who have helped propped up the entire computer security industry! (The anti-virus market relies on you to keep being ignorant and gullible. Every competent hacker knows all AV solutions can be worked around.)

This situation is only corrected by applying Software Restriction Policy (Set SRP to Disallow in XP, Vista, or Win7) or AppLocker (Win7); Using Limited/Standard user; and changing computer usage habits...So do NOT buy Home Editions of ANY versions of Windows if given the choice! Always stick to Professional/Business versions! (As they have SRP, AppLocker, and Group Policy.)

Never use Administrator; unless you are installing/updating new or trusted apps/patches OR resolving a computer problem. Always use Limited/Standard User for day-to-day activities.

(2) PDF
This is another moronic (security poor) implementation from Adobe. The other is Flash...Why can we embed and execute code with these implementations?
Quote:
Originally Posted by Tulatin
I would think it's fairly hard to program something that's bulletproof when there's incentive for millions of crackers out there to find holes in the cheese.

It really depends on:

(1) How well the program is thought out.
=> Is it a half-baked, "on-the-go" hack job? Or did someone sit down with a piece of paper and took time to design the thing properly? (with fail-safe defaults as fall-back)...Because the former always results in the end-user suffering. (Endless patches.)

(2) How experienced the programmers are.
=> Very few programmers really know about the tools they use. Their mathematical background is weaker than building a house on sand. And more often than not, they use programming languages in a very dangerous way. (Too reliant on automated features, lacking in understanding of the actual functions they're calling and the consequences of using them in a certain way, etc.)

(3) How well the testing validation process is.
=> Does it meet the original goals? Apply "fuzzing" in the testing process to ensure robustness of application? What happens if I...?

(4) If clueless managers get involved.
=> There is ALWAYS some moron upstairs who insists on adding something that will cause the entire deck of cards to tumble. They are master manipulators of office politics; so its guaranteed that whatever they want will be implemented at the protest of programmers or engineers. (Its the same type of douchebag that caused the Global Financial Crisis.)

The most problematic is, (as mentioned by feedayeen); feature creep. It is the reason why a good majority of the well known programs we've used throughout the years have turned into bloated cows of BS...This poor behaviour in application development started during the late 1990s and early 2000s.

There is no real reason for it; other than an avenue to maintain a profit stream.

If you ever write code; promise the world that you will keep it simple (single purpose) and only functioning as intended.
eddtox 7th April 2010, 23:37 Quote
Quote:
Originally Posted by aussiebear
/snip

While I agree with most of your points (especially feature creep) I do think that good security is difficult to implement for the tech-illiterate masses, without making the system virtually unusable to them.

As for pdf's, I didn't know they could contain executable code. Why?
javaman 7th April 2010, 23:43 Quote
Problem is no matter how super you code is someone will always find a weakness. Its almost smegs law now =/
glaeken 8th April 2010, 04:17 Quote
Another reason software has to be patched and is generally buggier than in the early to mid 90s and before, is that the shear size of software has grown exponentially. Many software products have more lines of code that Windows does, preventing bugs/security flaws outright from every corner is near impossible. Also when a product has been around as long as Adobe Acrobat, many people have come and gone during its lifetime, leading to misunderstandings of why a certain section of code does what it does, and (combined with poor internal documentation) no one knows/remembers all the details for every part of the software.
CowBlazed 8th April 2010, 16:14 Quote
Stuff like this is why I keep UAC enabled on my Windows 7 machine, despite the annoyances. I've had PDF files randomly try and open when browsing and the all too familiar UAC warning allowed me to block it.
rmathur 9th April 2010, 01:41 Quote
No matter how big the company gets, they can't guarantee perfect software. Adobe has many big claims yet it can not correct save a PDF document as simple word document - that's why you have to go to online sites who have OCRs -but that's also not perfect and that's why you have to go to online sites which can help you with manual corrections!
Log in

You are not logged in, please login with your forum account below. If you don't already have an account please register to start contributing.



Discuss in the forums