If this is your first visit, be sure to check out the FAQ by clicking the link above. You may have to register before you can post: click the register link above to proceed. To start viewing messages, select the forum that you want to visit from the selection below. |
|
|
Thread Tools | Display Modes |
#21
|
|||
|
|||
WARNING - PDF exploits - Adobe and Foxit [and others] readers
"MEB" wrote:
On 04/05/2010 05:53 PM, David H. Lipman wrote: From: "MEB" | On 04/04/2010 08:57 PM, Shenan Stanley wrote: MEB wrote: This particular style of exploit has been around for quite sometime in various forms. I have previously to advise of this style of attack. Yet another party has posted the methodology and provided example coding. Specially and EASILY crafted PDFs can be created to include calls to external applications which are not blocked by JAVA or other restrictions, yet can be run, forcing other unwanted activities [such as opening IE or running commands] or exploiting other vulnerabilities within other applications. This type of exploit can be used in conjunction with other exploits, compounding the potential malicious usage. These exploits can be modified to work within any OS, though system restrictions and other security may mitigate some of the potential exploits. Adobe Reader and Foxit Reader are vulnerable to this style of exploit, as may others. Foxit appears to be more exploitable than Adobe to this particular issue. Sumatra is apparently immune or doesn't support this type of exploit, and others may be as well. Metasploit and several other have provided other or additional styles of this type of exploit. REFERENCES/EXAMPLES: http://blog.didierstevens.com/2010/0...cape-from-pdf/ take particular note of the comment section for indications of how easy the coding and modifications are. http://www.metasploit.com/ Dan wrote: FoxitReader has a new update. MEB wrote: Does it supposedly deal with these issues? You did not quote the issues you refer to in your response. I have put that part back (above.) | I didn't because they were already removed. You can easily check for yourself, as can anyone else. Foxit Software has a security page he http://www.foxitsoftware.com/pdf/reader/security.htm Now that you can see the security page for Foxit Software and what patches they have released and for what reasons those patches were released and the referenced 'these issues' - do the updates deal with what you reported on April 1, 2010? | Since you have returned the links to the materials, would you say or | advise that the issues have been fixed pursuant the original linked | materials and your link? | Apr. 2, 2010 | "Authorization Bypass When Executing An Embedded Executable. | SUMMARY | Fixed a security issue that Foxit Reader runs an executable embedded | program inside a PDF automatically without asking for user�s permission. | AFFECTED SOFTWARE VERSION | Foxit Reader 3.2.0.0303." | Have you personally tested for these vulnerabilities [see for example, | the metasploit link] with/after the supposed fix/update? | I would opine that they may deal with SOME of those reported issues, I | would not go so far as to claim they were completely fixed when taken in | conjunction with other exploits/vulnerabilities or per indications of | other versions affected; or per other exploits using similar methods | [since there appeared to be several methods to achieve the results], | would you? http://www.us-cert.gov/current/index...t_reader_3_2_1 "US-CERT encourages users and administrators to review the Foxit notice regarding the release and upgrade to Foxit Reader 3.2.1.0401 to help mitigate the risks." I think the key word above is "help", perhaps I'm wrong. Last weeks summary of vulnerabilities, in particular relating Oracle/Sun JAVA and IE, seems to be a part of the total picture, add in the OSs themselves and their vulnerabilities and we have a slightly different total picture involved. http://www.us-cert.gov/cas/bulletins/SB10-095.html Oracle released an update: http://www.oracle.com/technology/dep...pumar2010.html "Due to the threat posed by a successful attack, Oracle strongly recommends that customers apply CPU fixes as soon as possible. This Critical Patch Update contains 27 new security fixes across all products." -- MEB http://peoplescounsel.org/ref/windows-main.htm Windows Info, Diagnostics, Security, Networking http://peoplescounsel.org The "real world" of Law, Justice, and Government ___--- . Meb, I have been researching this vulnerability and apparently the new update to FoxitReader software allows their to be a warning box that will pop up before this vulnerability is launched. http://www.pcworld.com/businesscente...ab ility.html "I've reported it to Foxit Software, and they told me they will issue a fix this week. I don't know what the fix will be, but I assume it will be a warning message, to be in line with the other PDF readers," Stevens said via e-mail. (from the article) http://forums.foxitsoftware.com/showthread.php?t=18044 http://www.kb.cert.org/vuls/id/570177 "This issue is addressed in Foxit Reader 3.2.1.0401. This update will cause Foxit Reader to prompt the user before using a Launch Action." (From US-Cert) It appears that the makers of Foxit Reader are much more concerned about the user's safety and security than the makers of Adobe Reader. |
#22
|
|||
|
|||
WARNING - PDF exploits - Adobe and Foxit [and others] readers
On 04/06/2010 02:18 AM, Dan wrote:
"MEB" wrote: On 04/05/2010 05:53 PM, David H. Lipman wrote: From: "MEB" | On 04/04/2010 08:57 PM, Shenan Stanley wrote: MEB wrote: This particular style of exploit has been around for quite sometime in various forms. I have previously to advise of this style of attack. Yet another party has posted the methodology and provided example coding. Specially and EASILY crafted PDFs can be created to include calls to external applications which are not blocked by JAVA or other restrictions, yet can be run, forcing other unwanted activities [such as opening IE or running commands] or exploiting other vulnerabilities within other applications. This type of exploit can be used in conjunction with other exploits, compounding the potential malicious usage. These exploits can be modified to work within any OS, though system restrictions and other security may mitigate some of the potential exploits. Adobe Reader and Foxit Reader are vulnerable to this style of exploit, as may others. Foxit appears to be more exploitable than Adobe to this particular issue. Sumatra is apparently immune or doesn't support this type of exploit, and others may be as well. Metasploit and several other have provided other or additional styles of this type of exploit. REFERENCES/EXAMPLES: http://blog.didierstevens.com/2010/0...cape-from-pdf/ take particular note of the comment section for indications of how easy the coding and modifications are. http://www.metasploit.com/ Dan wrote: FoxitReader has a new update. MEB wrote: Does it supposedly deal with these issues? You did not quote the issues you refer to in your response. I have put that part back (above.) | I didn't because they were already removed. You can easily check for yourself, as can anyone else. Foxit Software has a security page he http://www.foxitsoftware.com/pdf/reader/security.htm Now that you can see the security page for Foxit Software and what patches they have released and for what reasons those patches were released and the referenced 'these issues' - do the updates deal with what you reported on April 1, 2010? | Since you have returned the links to the materials, would you say or | advise that the issues have been fixed pursuant the original linked | materials and your link? | Apr. 2, 2010 | "Authorization Bypass When Executing An Embedded Executable. | SUMMARY | Fixed a security issue that Foxit Reader runs an executable embedded | program inside a PDF automatically without asking for user�s permission. | AFFECTED SOFTWARE VERSION | Foxit Reader 3.2.0.0303." | Have you personally tested for these vulnerabilities [see for example, | the metasploit link] with/after the supposed fix/update? | I would opine that they may deal with SOME of those reported issues, I | would not go so far as to claim they were completely fixed when taken in | conjunction with other exploits/vulnerabilities or per indications of | other versions affected; or per other exploits using similar methods | [since there appeared to be several methods to achieve the results], | would you? http://www.us-cert.gov/current/index...t_reader_3_2_1 "US-CERT encourages users and administrators to review the Foxit notice regarding the release and upgrade to Foxit Reader 3.2.1.0401 to help mitigate the risks." I think the key word above is "help", perhaps I'm wrong. Last weeks summary of vulnerabilities, in particular relating Oracle/Sun JAVA and IE, seems to be a part of the total picture, add in the OSs themselves and their vulnerabilities and we have a slightly different total picture involved. http://www.us-cert.gov/cas/bulletins/SB10-095.html Oracle released an update: http://www.oracle.com/technology/dep...pumar2010.html "Due to the threat posed by a successful attack, Oracle strongly recommends that customers apply CPU fixes as soon as possible. This Critical Patch Update contains 27 new security fixes across all products." -- MEB Meb, I have been researching this vulnerability and apparently the new update to FoxitReader software allows their to be a warning box that will pop up before this vulnerability is launched. http://www.pcworld.com/businesscente...ab ility.html "I've reported it to Foxit Software, and they told me they will issue a fix this week. I don't know what the fix will be, but I assume it will be a warning message, to be in line with the other PDF readers," Stevens said via e-mail. (from the article) http://forums.foxitsoftware.com/showthread.php?t=18044 http://www.kb.cert.org/vuls/id/570177 "This issue is addressed in Foxit Reader 3.2.1.0401. This update will cause Foxit Reader to prompt the user before using a Launch Action." (From US-Cert) It appears that the makers of Foxit Reader are much more concerned about the user's safety and security than the makers of Adobe Reader. Again, though I applaud the efforts [call me overly cautious], I still wouldn't go so far as to say the issues have been absolutely fixed when one of the abilities/malicious activities is to "suppress" the pop-up box, hence the warning never appears or is not seen, we have also seen methods elsewhere for "auto" click/authorizations involved; so I'll continue to reserve "its fixed" until real world proven. As for Adobe, since that is basically its own "operating environment", these issues will apparently be more difficult to address as they are supposedly a "feature". -- MEB http://peoplescounsel.org/ref/windows-main.htm Windows Info, Diagnostics, Security, Networking http://peoplescounsel.org The "real world" of Law, Justice, and Government ___--- |
#23
|
|||
|
|||
WARNING - PDF exploits - Adobe and Foxit [and others] readers
On 04/06/2010 02:18 AM, Dan wrote:
"MEB" wrote: On 04/05/2010 05:53 PM, David H. Lipman wrote: From: "MEB" | On 04/04/2010 08:57 PM, Shenan Stanley wrote: MEB wrote: This particular style of exploit has been around for quite sometime in various forms. I have previously to advise of this style of attack. Yet another party has posted the methodology and provided example coding. Specially and EASILY crafted PDFs can be created to include calls to external applications which are not blocked by JAVA or other restrictions, yet can be run, forcing other unwanted activities [such as opening IE or running commands] or exploiting other vulnerabilities within other applications. This type of exploit can be used in conjunction with other exploits, compounding the potential malicious usage. These exploits can be modified to work within any OS, though system restrictions and other security may mitigate some of the potential exploits. Adobe Reader and Foxit Reader are vulnerable to this style of exploit, as may others. Foxit appears to be more exploitable than Adobe to this particular issue. Sumatra is apparently immune or doesn't support this type of exploit, and others may be as well. Metasploit and several other have provided other or additional styles of this type of exploit. REFERENCES/EXAMPLES: http://blog.didierstevens.com/2010/0...cape-from-pdf/ take particular note of the comment section for indications of how easy the coding and modifications are. http://www.metasploit.com/ Dan wrote: FoxitReader has a new update. MEB wrote: Does it supposedly deal with these issues? You did not quote the issues you refer to in your response. I have put that part back (above.) | I didn't because they were already removed. You can easily check for yourself, as can anyone else. Foxit Software has a security page he http://www.foxitsoftware.com/pdf/reader/security.htm Now that you can see the security page for Foxit Software and what patches they have released and for what reasons those patches were released and the referenced 'these issues' - do the updates deal with what you reported on April 1, 2010? | Since you have returned the links to the materials, would you say or | advise that the issues have been fixed pursuant the original linked | materials and your link? | Apr. 2, 2010 | "Authorization Bypass When Executing An Embedded Executable. | SUMMARY | Fixed a security issue that Foxit Reader runs an executable embedded | program inside a PDF automatically without asking for user�s permission. | AFFECTED SOFTWARE VERSION | Foxit Reader 3.2.0.0303." | Have you personally tested for these vulnerabilities [see for example, | the metasploit link] with/after the supposed fix/update? | I would opine that they may deal with SOME of those reported issues, I | would not go so far as to claim they were completely fixed when taken in | conjunction with other exploits/vulnerabilities or per indications of | other versions affected; or per other exploits using similar methods | [since there appeared to be several methods to achieve the results], | would you? http://www.us-cert.gov/current/index...t_reader_3_2_1 "US-CERT encourages users and administrators to review the Foxit notice regarding the release and upgrade to Foxit Reader 3.2.1.0401 to help mitigate the risks." I think the key word above is "help", perhaps I'm wrong. Last weeks summary of vulnerabilities, in particular relating Oracle/Sun JAVA and IE, seems to be a part of the total picture, add in the OSs themselves and their vulnerabilities and we have a slightly different total picture involved. http://www.us-cert.gov/cas/bulletins/SB10-095.html Oracle released an update: http://www.oracle.com/technology/dep...pumar2010.html "Due to the threat posed by a successful attack, Oracle strongly recommends that customers apply CPU fixes as soon as possible. This Critical Patch Update contains 27 new security fixes across all products." -- MEB Meb, I have been researching this vulnerability and apparently the new update to FoxitReader software allows their to be a warning box that will pop up before this vulnerability is launched. http://www.pcworld.com/businesscente...ab ility.html "I've reported it to Foxit Software, and they told me they will issue a fix this week. I don't know what the fix will be, but I assume it will be a warning message, to be in line with the other PDF readers," Stevens said via e-mail. (from the article) http://forums.foxitsoftware.com/showthread.php?t=18044 http://www.kb.cert.org/vuls/id/570177 "This issue is addressed in Foxit Reader 3.2.1.0401. This update will cause Foxit Reader to prompt the user before using a Launch Action." (From US-Cert) It appears that the makers of Foxit Reader are much more concerned about the user's safety and security than the makers of Adobe Reader. Again, though I applaud the efforts [call me overly cautious], I still wouldn't go so far as to say the issues have been absolutely fixed when one of the abilities/malicious activities is to "suppress" the pop-up box, hence the warning never appears or is not seen, we have also seen methods elsewhere for "auto" click/authorizations involved; so I'll continue to reserve "its fixed" until real world proven. As for Adobe, since that is basically its own "operating environment", these issues will apparently be more difficult to address as they are supposedly a "feature". -- MEB http://peoplescounsel.org/ref/windows-main.htm Windows Info, Diagnostics, Security, Networking http://peoplescounsel.org The "real world" of Law, Justice, and Government ___--- |
#24
|
|||
|
|||
UPDATE Adobe - WARNING - PDF exploits - Adobe and Foxit [andothers] readers
On 04/01/2010 12:26 PM, MEB wrote:
This particular style of exploit has been around for quite sometime in various forms. I have previously to advise of this style of attack. Yet another party has posted the methodology and provided example coding. Specially and EASILY crafted PDFs can be created to include calls to external applications which are not blocked by JAVA or other restrictions, yet can be run, forcing other unwanted activities [such as opening IE or running commands] or exploiting other vulnerabilities within other applications. This type of exploit can be used in conjunction with other exploits, compounding the potential malicious usage. These exploits can be modified to work within any OS, though system restrictions and other security may mitigate some of the potential exploits. Adobe Reader and Foxit Reader are vulnerable to this style of exploit, as may others. Foxit appears to be more exploitable than Adobe to this particular issue. Sumatra is apparently immune or doesn't support this type of exploit, and others may be as well. Metasploit and several other have provided other or additional styles of this type of exploit. REFERENCES/EXAMPLES: http://blog.didierstevens.com/2010/0...cape-from-pdf/ take particular note of the comment section for indications of how easy the coding and modifications are. http://www.metasploit.com/ See other parts of this thread for information on FoxIt Reader updates. US-CERT Technical Cyber Security Alert TA10-103C -- Adobe Reader and Acrobat Vulnerabilities -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 National Cyber Alert System Technical Cyber Security Alert TA10-103C Adobe Reader and Acrobat Vulnerabilities Original release date: April 13, 2010 Last revised: -- Source: US-CERT Systems Affected * Adobe Reader 9.3.1 and earlier 9.x versions * Adobe Reader 8.2.1 and earlier versions * Adobe Acrobat 9.3.1 and earlier 9.x versions * Adobe Acrobat 8.2.1 and earlier versions Overview Adobe has released Security Bulletin APSB10-09, which describes multiple vulnerabilities affecting Adobe Reader and Acrobat. I. Description Adobe Security Bulletin APSB10-09 describes a number of vulnerabilities affecting Adobe Reader and Acrobat. These vulnerabilities affect Reader and Acrobat 9.3.1 and earlier 9.x versions, and 8.2.1 and earlier versions. An attacker could exploit these vulnerabilities by convincing a user to open a specially crafted PDF file. The Adobe Reader browser plug-in is available for multiple web browsers and operating systems, which can automatically open PDF documents hosted on a website. II. Impact These vulnerabilities could allow a remote attacker to execute arbitrary code, write arbitrary files or folders to the file system, escalate local privileges, or cause a denial of service on an affected system as the result of a user opening a malicious PDF document. III. Solution Update Adobe has released updates to address this issue. Users are encouraged to read Adobe Security Bulletin APSB10-09 and update vulnerable versions of Adobe Reader and Acrobat. Adobe does not offer standalone installers of Reader or Acrobat versions 9.3.2 or 8.2.2. For a fresh installation, first install Adobe Reader 9.3.0 or 8.2.0 and then use the automatic update feature or install the appropriate update referenced in APSB10-09. Disable JavaScript in Adobe Reader and Acrobat Disabling JavaScript may prevent some exploits from resulting in code execution. Acrobat JavaScript can be disabled using the Preferences menu (Edit - Preferences - JavaScript; uncheck Enable Acrobat JavaScript). Adobe provides a framework to blacklist specific JavaScipt APIs. If JavaScript must be enabled, this feature may be useful when specific APIs are known to be vulnerable or used in attacks. Prevent Internet Explorer from automatically opening PDF documents The installer for Adobe Reader and Acrobat configures Internet Explorer to automatically open PDF files without any user interaction. This behavior can be reverted to a safer option that prompts the user by importing the following as a .REG file: Windows Registry Editor Version 5.00 [HKEY_CLASSES_ROOT\AcroExch.Document.7] "EditFlags"=hex:00,00,00,00 Disable the display of PDF documents in the web browser Preventing PDF documents from opening inside a web browser will partially mitigate this vulnerability. If this workaround is applied, it may also mitigate future vulnerabilities. To prevent PDF documents from automatically being opened in a web browser, do the following: 1. Open Adobe Acrobat Reader. 2. Open the Edit menu. 3. Choose the Preferences option. 4. Choose the Internet section. 5. Uncheck the "Display PDF in browser" checkbox. Do not access PDF documents from untrusted sources Do not open unfamiliar or unexpected PDF documents, particularly those hosted on websites or delivered as email attachments. Please see Cyber Security Tip ST04-010. IV. References * Security update available for Adobe Reader and Acrobat - http://www.adobe.com/support/security/bulletins/apsb10-09.html * Upcoming Adobe Reader and Acrobat 9.3.2 and 8.2.2 to be Delivered by New Updater - http://blogs.adobe.com/adobereader/2010/04/upcoming_adobe_reader_and_acro.html * Adobe Reader and Acrobat JavaScript Blacklist Framework - http://kb2.adobe.com/cps/504/cpsid_50431.html __________________________________________________ __________________ The most recent version of this document can be found at: http://www.us-cert.gov/cas/techalerts/TA10-103C.html __________________________________________________ __________________ Feedback can be directed to US-CERT Technical Staff. Please send email to with "TA10-103C Feedback VU#352598" in the subject. __________________________________________________ __________________ For instructions on subscribing to or unsubscribing from this mailing list, visit http://www.us-cert.gov/cas/signup.html. __________________________________________________ __________________ Produced 2010 by US-CERT, a government organization. Terms of use: http://www.us-cert.gov/legal.html __________________________________________________ __________________ Revision History April 13, 2010: Initial release -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (GNU/Linux) iQEVAwUBS8TuRj6pPKYJORa3AQJfzggAj8p3s/TrJT16ceFtRzLR31QBgRq6GxYr h8WnsGlj2WR71XjH219XaWx9Mj3KBWVxbAsNPmK0tEir7KA+n4 DwZCewTDYRqfYs 8N7G9MOI68Z87+7zBiZAo0j5/lQuxLWyTF9PqWbX8gCWLqJWW46cEZCqg7OGRbYt w8coxdMXU6tM3WGoWAIKwLRtpQUdubcITPTrE7RATyLJ1422B9 dkTSeSCuHHZs5d eXSPYzTQ1EOwHpuA5/a/or2SjeRPLQcpxb/8WKelSqwW3hpK4zviEnPt4cYyeNqW BQY06OQMTKch/nmniuEDuiwe69m0gTw7Tw2Dm6xrg6BLBy3A6GAwkQ== =CQ6i -----END PGP SIGNATURE----- -- MEB http://peoplescounsel.org/ref/windows-main.htm Windows Info, Diagnostics, Security, Networking http://peoplescounsel.org The "real world" of Law, Justice, and Government ___--- |
#25
|
|||
|
|||
WARNING - PDF exploits - Adobe and Foxit [and others] readers
From: "MEB"
| This particular style of exploit has been around for quite sometime in | various forms. I have previously to advise of this style of attack. | Yet another party has posted the methodology and provided example coding. | Specially and EASILY crafted PDFs can be created to include calls to | external applications which are not blocked by JAVA or other | restrictions, yet can be run, forcing other unwanted activities [such as | opening IE or running commands] or exploiting other vulnerabilities | within other applications. This type of exploit can be used in | conjunction with other exploits, compounding the potential malicious | usage. These exploits can be modified to work within any OS, though | system restrictions and other security may mitigate some of the | potential exploits. | Adobe Reader and Foxit Reader are vulnerable to this style of exploit, | as may others. Foxit appears to be more exploitable than Adobe to this | particular issue. | Sumatra is apparently immune or doesn't support this type of exploit, | and others may be as well. | Metasploit and several other have provided other or additional styles | of this type of exploit. | REFERENCES/EXAMPLES: | http://blog.didierstevens.com/2010/0...cape-from-pdf/ | take particular note of the comment section for indications of how easy | the coding and modifications are. | http://www.metasploit.com/ Adobe Acrobat and Reader updates to bring the software to v9.3.2 has been released. ftp://ftp.adobe.com/pub -- Dave http://www.claymania.com/removal-trojan-adware.html Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp |
#26
|
|||
|
|||
WARNING - PDF exploits - Adobe and Foxit [and others] readers
From: "MEB"
| This particular style of exploit has been around for quite sometime in | various forms. I have previously to advise of this style of attack. | Yet another party has posted the methodology and provided example coding. | Specially and EASILY crafted PDFs can be created to include calls to | external applications which are not blocked by JAVA or other | restrictions, yet can be run, forcing other unwanted activities [such as | opening IE or running commands] or exploiting other vulnerabilities | within other applications. This type of exploit can be used in | conjunction with other exploits, compounding the potential malicious | usage. These exploits can be modified to work within any OS, though | system restrictions and other security may mitigate some of the | potential exploits. | Adobe Reader and Foxit Reader are vulnerable to this style of exploit, | as may others. Foxit appears to be more exploitable than Adobe to this | particular issue. | Sumatra is apparently immune or doesn't support this type of exploit, | and others may be as well. | Metasploit and several other have provided other or additional styles | of this type of exploit. | REFERENCES/EXAMPLES: | http://blog.didierstevens.com/2010/0...cape-from-pdf/ | take particular note of the comment section for indications of how easy | the coding and modifications are. | http://www.metasploit.com/ Adobe Acrobat and Reader updates to bring the software to v9.3.2 has been released. ftp://ftp.adobe.com/pub -- Dave http://www.claymania.com/removal-trojan-adware.html Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp |
Thread Tools | |
Display Modes | |
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
PDF exploits shown in this comparison as exceeding Flash based | MEB[_17_] | General | 73 | February 26th 10 03:18 AM |
New Adobe Reader Zero Day Exploits - New FireFox exploits | MEB[_16_] | General | 28 | May 5th 09 12:29 AM |
Foxit 2.3 PDF Reader Doesn't Work with 98 | foo | General | 2 | May 15th 08 09:23 PM |
Question for Mike M, Foxit | Justin Thyme | General | 3 | January 8th 07 10:13 PM |
Spybot and DSO Exploits | Alias | General | 2 | September 7th 04 04:03 PM |