WARNING - PDF exploits - Adobe and Foxit [and others] readers

"MEB.peoplescounsel" wrote
in :

SNIP

http://www.adobetutorialz.com/articl...emoving-Acroba
t-Reader-505

You can or should be able to "disable" the *.ocx "helpers"
by going to
the folder and right clicking [IIRC].

Thanks very much.
Cheers.

"MEB.peoplescounsel" wrote
in :

SNIP

instead of DL'g, the "darn" PDF opens in the Opera browser

Had to change one of your words - didn't make it to MS
servers...

Did I offend the MaSters of the world by using the f word
instead of darn?
(...)
Just occurred to me that I can check...
(...)
ONE LETTER? Unbelievable.
Un-darn-believable.

"MEB.peoplescounsel" wrote
in :

SNIP

instead of DL'g, the "darn" PDF opens in the Opera browser

Had to change one of your words - didn't make it to MS
servers...

Did I offend the MaSters of the world by using the f word
instead of darn?
(...)
Just occurred to me that I can check...
(...)
ONE LETTER? Unbelievable.
Un-darn-believable.

On 04/04/2010 08:57 PM, Shenan Stanley wrote:
MEB wrote:
This particular style of exploit has been around for quite sometime
in various forms. I have previously to advise of this style of
attack.

Yet another party has posted the methodology and provided example
coding. Specially and EASILY crafted PDFs can be created to include
calls to external applications which are not blocked by JAVA or
other restrictions, yet can be run, forcing other unwanted
activities [such as opening IE or running commands] or exploiting
other vulnerabilities within other applications. This type of
exploit can be used in conjunction with other exploits, compounding
the potential malicious usage. These exploits can be modified to
work within any OS, though system restrictions and other security
may mitigate some of the potential exploits.

Adobe Reader and Foxit Reader are vulnerable to this style of
exploit, as may others. Foxit appears to be more exploitable than
Adobe to this particular issue.

Sumatra is apparently immune or doesn't support this type of
exploit, and others may be as well.

Metasploit and several other have provided other or additional
styles of this type of exploit.

REFERENCES/EXAMPLES:
http://blog.didierstevens.com/2010/0...cape-from-pdf/
take particular note of the comment section for indications of how
easy the coding and modifications are.

http://www.metasploit.com/

Dan wrote:
FoxitReader has a new update.

MEB wrote:
Does it supposedly deal with these issues?

You did not quote the issues you refer to in your response. I have put that
part back (above.)

I didn't because they were already removed.


You can easily check for yourself, as can anyone else. Foxit Software has a
security page he
http://www.foxitsoftware.com/pdf/reader/security.htm

Now that you can see the security page for Foxit Software and what patches
they have released and for what reasons those patches were released and the
referenced 'these issues' - do the updates deal with what you reported on
April 1, 2010?


Since you have returned the links to the materials, would you say or
advise that the issues have been fixed pursuant the original linked
materials and your link?

Apr. 2, 2010
"Authorization Bypass When Executing An Embedded Executable.
SUMMARY

Fixed a security issue that Foxit Reader runs an executable embedded
program inside a PDF automatically without asking for user’s permission.
AFFECTED SOFTWARE VERSION

Foxit Reader 3.2.0.0303."

Have you personally tested for these vulnerabilities [see for example,
the metasploit link] with/after the supposed fix/update?

I would opine that they may deal with SOME of those reported issues, I
would not go so far as to claim they were completely fixed when taken in
conjunction with other exploits/vulnerabilities or per indications of
other versions affected; or per other exploits using similar methods
[since there appeared to be several methods to achieve the results],
would you?

--
MEB
http://peoplescounsel.org/ref/windows-main.htm
Windows Info, Diagnostics, Security, Networking
http://peoplescounsel.org
The "real world" of Law, Justice, and Government
___---

On 04/04/2010 08:57 PM, Shenan Stanley wrote:
MEB wrote:
This particular style of exploit has been around for quite sometime
in various forms. I have previously to advise of this style of
attack.

Yet another party has posted the methodology and provided example
coding. Specially and EASILY crafted PDFs can be created to include
calls to external applications which are not blocked by JAVA or
other restrictions, yet can be run, forcing other unwanted
activities [such as opening IE or running commands] or exploiting
other vulnerabilities within other applications. This type of
exploit can be used in conjunction with other exploits, compounding
the potential malicious usage. These exploits can be modified to
work within any OS, though system restrictions and other security
may mitigate some of the potential exploits.

Adobe Reader and Foxit Reader are vulnerable to this style of
exploit, as may others. Foxit appears to be more exploitable than
Adobe to this particular issue.

Sumatra is apparently immune or doesn't support this type of
exploit, and others may be as well.

Metasploit and several other have provided other or additional
styles of this type of exploit.

REFERENCES/EXAMPLES:
http://blog.didierstevens.com/2010/0...cape-from-pdf/
take particular note of the comment section for indications of how
easy the coding and modifications are.

http://www.metasploit.com/

Dan wrote:
FoxitReader has a new update.

MEB wrote:
Does it supposedly deal with these issues?

You did not quote the issues you refer to in your response. I have put that
part back (above.)

I didn't because they were already removed.


You can easily check for yourself, as can anyone else. Foxit Software has a
security page he
http://www.foxitsoftware.com/pdf/reader/security.htm

Now that you can see the security page for Foxit Software and what patches
they have released and for what reasons those patches were released and the
referenced 'these issues' - do the updates deal with what you reported on
April 1, 2010?


Since you have returned the links to the materials, would you say or
advise that the issues have been fixed pursuant the original linked
materials and your link?

Apr. 2, 2010
"Authorization Bypass When Executing An Embedded Executable.
SUMMARY

Fixed a security issue that Foxit Reader runs an executable embedded
program inside a PDF automatically without asking for user’s permission.
AFFECTED SOFTWARE VERSION

Foxit Reader 3.2.0.0303."

Have you personally tested for these vulnerabilities [see for example,
the metasploit link] with/after the supposed fix/update?

I would opine that they may deal with SOME of those reported issues, I
would not go so far as to claim they were completely fixed when taken in
conjunction with other exploits/vulnerabilities or per indications of
other versions affected; or per other exploits using similar methods
[since there appeared to be several methods to achieve the results],
would you?

--
MEB
http://peoplescounsel.org/ref/windows-main.htm
Windows Info, Diagnostics, Security, Networking
http://peoplescounsel.org
The "real world" of Law, Justice, and Government
___---

From: "MEB"

| On 04/04/2010 08:57 PM, Shenan Stanley wrote:
MEB wrote:
This particular style of exploit has been around for quite sometime
in various forms. I have previously to advise of this style of
attack.

Yet another party has posted the methodology and provided example
coding. Specially and EASILY crafted PDFs can be created to include
calls to external applications which are not blocked by JAVA or
other restrictions, yet can be run, forcing other unwanted
activities [such as opening IE or running commands] or exploiting
other vulnerabilities within other applications. This type of
exploit can be used in conjunction with other exploits, compounding
the potential malicious usage. These exploits can be modified to
work within any OS, though system restrictions and other security
may mitigate some of the potential exploits.

Adobe Reader and Foxit Reader are vulnerable to this style of
exploit, as may others. Foxit appears to be more exploitable than
Adobe to this particular issue.

Sumatra is apparently immune or doesn't support this type of
exploit, and others may be as well.

Metasploit and several other have provided other or additional
styles of this type of exploit.

REFERENCES/EXAMPLES:
http://blog.didierstevens.com/2010/0...cape-from-pdf/
take particular note of the comment section for indications of how
easy the coding and modifications are.

http://www.metasploit.com/

Dan wrote:
FoxitReader has a new update.

MEB wrote:
Does it supposedly deal with these issues?

You did not quote the issues you refer to in your response. I have put that
part back (above.)

| I didn't because they were already removed.


You can easily check for yourself, as can anyone else. Foxit Software has a
security page he
http://www.foxitsoftware.com/pdf/reader/security.htm

Now that you can see the security page for Foxit Software and what patches
they have released and for what reasons those patches were released and the
referenced 'these issues' - do the updates deal with what you reported on
April 1, 2010?


| Since you have returned the links to the materials, would you say or
| advise that the issues have been fixed pursuant the original linked
| materials and your link?

| Apr. 2, 2010
| "Authorization Bypass When Executing An Embedded Executable.
| SUMMARY

| Fixed a security issue that Foxit Reader runs an executable embedded
| program inside a PDF automatically without asking for user’s permission.
| AFFECTED SOFTWARE VERSION

| Foxit Reader 3.2.0.0303."

| Have you personally tested for these vulnerabilities [see for example,
| the metasploit link] with/after the supposed fix/update?

| I would opine that they may deal with SOME of those reported issues, I
| would not go so far as to claim they were completely fixed when taken in
| conjunction with other exploits/vulnerabilities or per indications of
| other versions affected; or per other exploits using similar methods
| [since there appeared to be several methods to achieve the results],
| would you?

http://www.us-cert.gov/current/index...t_reader_3_2_1

--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp

From: "MEB"

| On 04/04/2010 08:57 PM, Shenan Stanley wrote:
MEB wrote:
This particular style of exploit has been around for quite sometime
in various forms. I have previously to advise of this style of
attack.

Yet another party has posted the methodology and provided example
coding. Specially and EASILY crafted PDFs can be created to include
calls to external applications which are not blocked by JAVA or
other restrictions, yet can be run, forcing other unwanted
activities [such as opening IE or running commands] or exploiting
other vulnerabilities within other applications. This type of
exploit can be used in conjunction with other exploits, compounding
the potential malicious usage. These exploits can be modified to
work within any OS, though system restrictions and other security
may mitigate some of the potential exploits.

Adobe Reader and Foxit Reader are vulnerable to this style of
exploit, as may others. Foxit appears to be more exploitable than
Adobe to this particular issue.

Sumatra is apparently immune or doesn't support this type of
exploit, and others may be as well.

Metasploit and several other have provided other or additional
styles of this type of exploit.

REFERENCES/EXAMPLES:
http://blog.didierstevens.com/2010/0...cape-from-pdf/
take particular note of the comment section for indications of how
easy the coding and modifications are.

http://www.metasploit.com/

Dan wrote:
FoxitReader has a new update.

MEB wrote:
Does it supposedly deal with these issues?

You did not quote the issues you refer to in your response. I have put that
part back (above.)

| I didn't because they were already removed.


You can easily check for yourself, as can anyone else. Foxit Software has a
security page he
http://www.foxitsoftware.com/pdf/reader/security.htm

Now that you can see the security page for Foxit Software and what patches
they have released and for what reasons those patches were released and the
referenced 'these issues' - do the updates deal with what you reported on
April 1, 2010?


| Since you have returned the links to the materials, would you say or
| advise that the issues have been fixed pursuant the original linked
| materials and your link?

| Apr. 2, 2010
| "Authorization Bypass When Executing An Embedded Executable.
| SUMMARY

| Fixed a security issue that Foxit Reader runs an executable embedded
| program inside a PDF automatically without asking for user’s permission.
| AFFECTED SOFTWARE VERSION

| Foxit Reader 3.2.0.0303."

| Have you personally tested for these vulnerabilities [see for example,
| the metasploit link] with/after the supposed fix/update?

| I would opine that they may deal with SOME of those reported issues, I
| would not go so far as to claim they were completely fixed when taken in
| conjunction with other exploits/vulnerabilities or per indications of
| other versions affected; or per other exploits using similar methods
| [since there appeared to be several methods to achieve the results],
| would you?

http://www.us-cert.gov/current/index...t_reader_3_2_1

--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp

On 04/05/2010 05:53 PM, David H. Lipman wrote:
From: "MEB"

| On 04/04/2010 08:57 PM, Shenan Stanley wrote:
MEB wrote:
This particular style of exploit has been around for quite sometime
in various forms. I have previously to advise of this style of
attack.

Yet another party has posted the methodology and provided example
coding. Specially and EASILY crafted PDFs can be created to include
calls to external applications which are not blocked by JAVA or
other restrictions, yet can be run, forcing other unwanted
activities [such as opening IE or running commands] or exploiting
other vulnerabilities within other applications. This type of
exploit can be used in conjunction with other exploits, compounding
the potential malicious usage. These exploits can be modified to
work within any OS, though system restrictions and other security
may mitigate some of the potential exploits.

Adobe Reader and Foxit Reader are vulnerable to this style of
exploit, as may others. Foxit appears to be more exploitable than
Adobe to this particular issue.

Sumatra is apparently immune or doesn't support this type of
exploit, and others may be as well.

Metasploit and several other have provided other or additional
styles of this type of exploit.

REFERENCES/EXAMPLES:
http://blog.didierstevens.com/2010/0...cape-from-pdf/
take particular note of the comment section for indications of how
easy the coding and modifications are.

http://www.metasploit.com/

Dan wrote:
FoxitReader has a new update.

MEB wrote:
Does it supposedly deal with these issues?

You did not quote the issues you refer to in your response. I have put that
part back (above.)

| I didn't because they were already removed.


You can easily check for yourself, as can anyone else. Foxit Software has a
security page he
http://www.foxitsoftware.com/pdf/reader/security.htm

Now that you can see the security page for Foxit Software and what patches
they have released and for what reasons those patches were released and the
referenced 'these issues' - do the updates deal with what you reported on
April 1, 2010?


| Since you have returned the links to the materials, would you say or
| advise that the issues have been fixed pursuant the original linked
| materials and your link?

| Apr. 2, 2010
| "Authorization Bypass When Executing An Embedded Executable.
| SUMMARY

| Fixed a security issue that Foxit Reader runs an executable embedded
| program inside a PDF automatically without asking for user�s permission.
| AFFECTED SOFTWARE VERSION

| Foxit Reader 3.2.0.0303."

| Have you personally tested for these vulnerabilities [see for example,
| the metasploit link] with/after the supposed fix/update?

| I would opine that they may deal with SOME of those reported issues, I
| would not go so far as to claim they were completely fixed when taken in
| conjunction with other exploits/vulnerabilities or per indications of
| other versions affected; or per other exploits using similar methods
| [since there appeared to be several methods to achieve the results],
| would you?

http://www.us-cert.gov/current/index...t_reader_3_2_1

"US-CERT encourages users and administrators to review the Foxit notice
regarding the release and upgrade to Foxit Reader 3.2.1.0401 to help
mitigate the risks."

I think the key word above is "help", perhaps I'm wrong.

Last weeks summary of vulnerabilities, in particular relating
Oracle/Sun JAVA and IE, seems to be a part of the total picture, add in
the OSs themselves and their vulnerabilities and we have a slightly
different total picture involved.

http://www.us-cert.gov/cas/bulletins/SB10-095.html

Oracle released an update:
http://www.oracle.com/technology/dep...pumar2010.html
"Due to the threat posed by a successful attack, Oracle strongly
recommends that customers apply CPU fixes as soon as possible. This
Critical Patch Update contains 27 new security fixes across all products."

--
MEB
http://peoplescounsel.org/ref/windows-main.htm
Windows Info, Diagnostics, Security, Networking
http://peoplescounsel.org
The "real world" of Law, Justice, and Government
___---

On 04/05/2010 05:53 PM, David H. Lipman wrote:
From: "MEB"

| On 04/04/2010 08:57 PM, Shenan Stanley wrote:
MEB wrote:
This particular style of exploit has been around for quite sometime
in various forms. I have previously to advise of this style of
attack.

Yet another party has posted the methodology and provided example
coding. Specially and EASILY crafted PDFs can be created to include
calls to external applications which are not blocked by JAVA or
other restrictions, yet can be run, forcing other unwanted
activities [such as opening IE or running commands] or exploiting
other vulnerabilities within other applications. This type of
exploit can be used in conjunction with other exploits, compounding
the potential malicious usage. These exploits can be modified to
work within any OS, though system restrictions and other security
may mitigate some of the potential exploits.

Adobe Reader and Foxit Reader are vulnerable to this style of
exploit, as may others. Foxit appears to be more exploitable than
Adobe to this particular issue.

Sumatra is apparently immune or doesn't support this type of
exploit, and others may be as well.

Metasploit and several other have provided other or additional
styles of this type of exploit.

REFERENCES/EXAMPLES:
http://blog.didierstevens.com/2010/0...cape-from-pdf/
take particular note of the comment section for indications of how
easy the coding and modifications are.

http://www.metasploit.com/

Dan wrote:
FoxitReader has a new update.

MEB wrote:
Does it supposedly deal with these issues?

You did not quote the issues you refer to in your response. I have put that
part back (above.)

| I didn't because they were already removed.


You can easily check for yourself, as can anyone else. Foxit Software has a
security page he
http://www.foxitsoftware.com/pdf/reader/security.htm

Now that you can see the security page for Foxit Software and what patches
they have released and for what reasons those patches were released and the
referenced 'these issues' - do the updates deal with what you reported on
April 1, 2010?


| Since you have returned the links to the materials, would you say or
| advise that the issues have been fixed pursuant the original linked
| materials and your link?

| Apr. 2, 2010
| "Authorization Bypass When Executing An Embedded Executable.
| SUMMARY

| Fixed a security issue that Foxit Reader runs an executable embedded
| program inside a PDF automatically without asking for user�s permission.
| AFFECTED SOFTWARE VERSION

| Foxit Reader 3.2.0.0303."

| Have you personally tested for these vulnerabilities [see for example,
| the metasploit link] with/after the supposed fix/update?

| I would opine that they may deal with SOME of those reported issues, I
| would not go so far as to claim they were completely fixed when taken in
| conjunction with other exploits/vulnerabilities or per indications of
| other versions affected; or per other exploits using similar methods
| [since there appeared to be several methods to achieve the results],
| would you?

http://www.us-cert.gov/current/index...t_reader_3_2_1

"US-CERT encourages users and administrators to review the Foxit notice
regarding the release and upgrade to Foxit Reader 3.2.1.0401 to help
mitigate the risks."

I think the key word above is "help", perhaps I'm wrong.

Last weeks summary of vulnerabilities, in particular relating
Oracle/Sun JAVA and IE, seems to be a part of the total picture, add in
the OSs themselves and their vulnerabilities and we have a slightly
different total picture involved.

http://www.us-cert.gov/cas/bulletins/SB10-095.html

Oracle released an update:
http://www.oracle.com/technology/dep...pumar2010.html
"Due to the threat posed by a successful attack, Oracle strongly
recommends that customers apply CPU fixes as soon as possible. This
Critical Patch Update contains 27 new security fixes across all products."

--
MEB
http://peoplescounsel.org/ref/windows-main.htm
Windows Info, Diagnostics, Security, Networking
http://peoplescounsel.org
The "real world" of Law, Justice, and Government
___---

"MEB" wrote:

On 04/05/2010 05:53 PM, David H. Lipman wrote:
From: "MEB"

| On 04/04/2010 08:57 PM, Shenan Stanley wrote:
MEB wrote:
This particular style of exploit has been around for quite sometime
in various forms. I have previously to advise of this style of
attack.

Yet another party has posted the methodology and provided example
coding. Specially and EASILY crafted PDFs can be created to include
calls to external applications which are not blocked by JAVA or
other restrictions, yet can be run, forcing other unwanted
activities [such as opening IE or running commands] or exploiting
other vulnerabilities within other applications. This type of
exploit can be used in conjunction with other exploits, compounding
the potential malicious usage. These exploits can be modified to
work within any OS, though system restrictions and other security
may mitigate some of the potential exploits.

Adobe Reader and Foxit Reader are vulnerable to this style of
exploit, as may others. Foxit appears to be more exploitable than
Adobe to this particular issue.

Sumatra is apparently immune or doesn't support this type of
exploit, and others may be as well.

Metasploit and several other have provided other or additional
styles of this type of exploit.

REFERENCES/EXAMPLES:
http://blog.didierstevens.com/2010/0...cape-from-pdf/
take particular note of the comment section for indications of how
easy the coding and modifications are.

http://www.metasploit.com/

Dan wrote:
FoxitReader has a new update.

MEB wrote:
Does it supposedly deal with these issues?

You did not quote the issues you refer to in your response. I have put that
part back (above.)

| I didn't because they were already removed.


You can easily check for yourself, as can anyone else. Foxit Software has a
security page he
http://www.foxitsoftware.com/pdf/reader/security.htm

Now that you can see the security page for Foxit Software and what patches
they have released and for what reasons those patches were released and the
referenced 'these issues' - do the updates deal with what you reported on
April 1, 2010?


| Since you have returned the links to the materials, would you say or
| advise that the issues have been fixed pursuant the original linked
| materials and your link?

| Apr. 2, 2010
| "Authorization Bypass When Executing An Embedded Executable.
| SUMMARY

| Fixed a security issue that Foxit Reader runs an executable embedded
| program inside a PDF automatically without asking for user�s permission.
| AFFECTED SOFTWARE VERSION

| Foxit Reader 3.2.0.0303."

| Have you personally tested for these vulnerabilities [see for example,
| the metasploit link] with/after the supposed fix/update?

| I would opine that they may deal with SOME of those reported issues, I
| would not go so far as to claim they were completely fixed when taken in
| conjunction with other exploits/vulnerabilities or per indications of
| other versions affected; or per other exploits using similar methods
| [since there appeared to be several methods to achieve the results],
| would you?

http://www.us-cert.gov/current/index...t_reader_3_2_1

"US-CERT encourages users and administrators to review the Foxit notice
regarding the release and upgrade to Foxit Reader 3.2.1.0401 to help
mitigate the risks."

I think the key word above is "help", perhaps I'm wrong.

Last weeks summary of vulnerabilities, in particular relating
Oracle/Sun JAVA and IE, seems to be a part of the total picture, add in
the OSs themselves and their vulnerabilities and we have a slightly
different total picture involved.

http://www.us-cert.gov/cas/bulletins/SB10-095.html

Oracle released an update:
http://www.oracle.com/technology/dep...pumar2010.html
"Due to the threat posed by a successful attack, Oracle strongly
recommends that customers apply CPU fixes as soon as possible. This
Critical Patch Update contains 27 new security fixes across all products."

--
MEB
http://peoplescounsel.org/ref/windows-main.htm
Windows Info, Diagnostics, Security, Networking
http://peoplescounsel.org
The "real world" of Law, Justice, and Government
___---
.


Meb, I have been researching this vulnerability and apparently the new
update to FoxitReader software allows their to be a warning box that will pop
up before this vulnerability is launched.

http://www.pcworld.com/businesscente...ab ility.html

"I've reported it to Foxit Software, and they told me they will issue a fix
this week. I don't know what the fix will be, but I assume it will be a
warning message, to be in line with the other PDF readers," Stevens said via
e-mail. (from the article)

http://forums.foxitsoftware.com/showthread.php?t=18044

http://www.kb.cert.org/vuls/id/570177

"This issue is addressed in Foxit Reader 3.2.1.0401. This update will cause
Foxit Reader to prompt the user before using a Launch Action." (From US-Cert)

It appears that the makers of Foxit Reader are much more concerned about the
user's safety and security than the makers of Adobe Reader.