A Windows 98 & ME forum. Win98banter

If this is your first visit, be sure to check out the FAQ by clicking the link above. You may have to register before you can post: click the register link above to proceed. To start viewing messages, select the forum that you want to visit from the selection below.

Go Back   Home » Win98banter forum » Windows 98 » General
Site Map Home Authors List Search Today's Posts Mark Forums Read Web Partners

WARNING - PDF exploits - Adobe and Foxit [and others] readers



 
 
Thread Tools Display Modes
  #1  
Old April 1st 10, 05:26 PM posted to microsoft.public.win98.gen_discussion,microsoft.public.security.homeusers
MEB[_17_]
External Usenet User
 
Posts: 1,830
Default WARNING - PDF exploits - Adobe and Foxit [and others] readers


This particular style of exploit has been around for quite sometime in
various forms. I have previously to advise of this style of attack.
Yet another party has posted the methodology and provided example coding.
Specially and EASILY crafted PDFs can be created to include calls to
external applications which are not blocked by JAVA or other
restrictions, yet can be run, forcing other unwanted activities [such as
opening IE or running commands] or exploiting other vulnerabilities
within other applications. This type of exploit can be used in
conjunction with other exploits, compounding the potential malicious
usage. These exploits can be modified to work within any OS, though
system restrictions and other security may mitigate some of the
potential exploits.

Adobe Reader and Foxit Reader are vulnerable to this style of exploit,
as may others. Foxit appears to be more exploitable than Adobe to this
particular issue.

Sumatra is apparently immune or doesn't support this type of exploit,
and others may be as well.

Metasploit and several other have provided other or additional styles
of this type of exploit.

REFERENCES/EXAMPLES:

http://blog.didierstevens.com/2010/0...cape-from-pdf/
take particular note of the comment section for indications of how easy
the coding and modifications are.

http://www.metasploit.com/

--
MEB
http://peoplescounsel.org/ref/windows-main.htm
Windows Info, Diagnostics, Security, Networking
http://peoplescounsel.org
The "real world" of Law, Justice, and Government
___---
  #2  
Old April 1st 10, 11:16 PM posted to microsoft.public.win98.gen_discussion,microsoft.public.security.homeusers
thanatoid
External Usenet User
 
Posts: 2,299
Default WARNING - PDF exploits - Adobe and Foxit [and others] readers

MEB wrote in
:

SNIP

Thanks for the info.

I have never gotten around to removing AR 5 from my machine,
even though I use the Fox reader for everything. Occasionally,
on stupid sites which give you no choice, instead of DL'g, the
damn PDF opens in the Opera browser windows using AR, not Fox. I
would like NOTHING to ever open, and "hack the DL" if I have to.
Do you know where the setting might be to remove the AR opening
automatically?

I suppose I could just remove AR, but then Opera it would
probably find Fox and default to that, which is no good either.

I hope you can make sense of what I just wrote.

Thanks.
t.
  #3  
Old April 3rd 10, 09:51 PM posted to microsoft.public.win98.gen_discussion,microsoft.public.security.homeusers
Dan
External Usenet User
 
Posts: 1,089
Default WARNING - PDF exploits - Adobe and Foxit [and others] readers

FoxitReader has a new update.
  #4  
Old April 3rd 10, 09:51 PM posted to microsoft.public.win98.gen_discussion,microsoft.public.security.homeusers
Dan
External Usenet User
 
Posts: 1,089
Default WARNING - PDF exploits - Adobe and Foxit [and others] readers

FoxitReader has a new update.
  #5  
Old April 5th 10, 01:29 AM posted to microsoft.public.win98.gen_discussion,microsoft.public.security.homeusers
MEB[_17_]
External Usenet User
 
Posts: 1,830
Default WARNING - PDF exploits - Adobe and Foxit [and others] readers

On 04/03/2010 04:51 PM, Dan wrote:
FoxitReader has a new update.


Does it supposedly deal with these issues?


--
MEB
http://peoplescounsel.org/ref/windows-main.htm
Windows Info, Diagnostics, Security, Networking
http://peoplescounsel.org
The "real world" of Law, Justice, and Government
___---
  #6  
Old April 5th 10, 01:29 AM posted to microsoft.public.win98.gen_discussion,microsoft.public.security.homeusers
MEB[_17_]
External Usenet User
 
Posts: 1,830
Default WARNING - PDF exploits - Adobe and Foxit [and others] readers

On 04/03/2010 04:51 PM, Dan wrote:
FoxitReader has a new update.


Does it supposedly deal with these issues?


--
MEB
http://peoplescounsel.org/ref/windows-main.htm
Windows Info, Diagnostics, Security, Networking
http://peoplescounsel.org
The "real world" of Law, Justice, and Government
___---
  #7  
Old April 5th 10, 01:57 AM posted to microsoft.public.win98.gen_discussion,microsoft.public.security.homeusers
Shenan Stanley
External Usenet User
 
Posts: 6
Default WARNING - PDF exploits - Adobe and Foxit [and others] readers

MEB wrote:
This particular style of exploit has been around for quite sometime
in various forms. I have previously to advise of this style of
attack.

Yet another party has posted the methodology and provided example
coding. Specially and EASILY crafted PDFs can be created to include
calls to external applications which are not blocked by JAVA or
other restrictions, yet can be run, forcing other unwanted
activities [such as opening IE or running commands] or exploiting
other vulnerabilities within other applications. This type of
exploit can be used in conjunction with other exploits, compounding
the potential malicious usage. These exploits can be modified to
work within any OS, though system restrictions and other security
may mitigate some of the potential exploits.

Adobe Reader and Foxit Reader are vulnerable to this style of
exploit, as may others. Foxit appears to be more exploitable than
Adobe to this particular issue.

Sumatra is apparently immune or doesn't support this type of
exploit, and others may be as well.

Metasploit and several other have provided other or additional
styles of this type of exploit.

REFERENCES/EXAMPLES:
http://blog.didierstevens.com/2010/0...cape-from-pdf/
take particular note of the comment section for indications of how
easy the coding and modifications are.

http://www.metasploit.com/


Dan wrote:
FoxitReader has a new update.


MEB wrote:
Does it supposedly deal with these issues?


You did not quote the issues you refer to in your response. I have put that
part back (above.)

You can easily check for yourself, as can anyone else. Foxit Software has a
security page he
http://www.foxitsoftware.com/pdf/reader/security.htm

Now that you can see the security page for Foxit Software and what patches
they have released and for what reasons those patches were released and the
referenced 'these issues' - do the updates deal with what you reported on
April 1, 2010?

--
Shenan Stanley
MS-MVP
--
How To Ask Questions The Smart Way
http://www.catb.org/~esr/faqs/smart-questions.html


  #8  
Old April 5th 10, 01:57 AM posted to microsoft.public.win98.gen_discussion,microsoft.public.security.homeusers
Shenan Stanley
External Usenet User
 
Posts: 6
Default WARNING - PDF exploits - Adobe and Foxit [and others] readers

MEB wrote:
This particular style of exploit has been around for quite sometime
in various forms. I have previously to advise of this style of
attack.

Yet another party has posted the methodology and provided example
coding. Specially and EASILY crafted PDFs can be created to include
calls to external applications which are not blocked by JAVA or
other restrictions, yet can be run, forcing other unwanted
activities [such as opening IE or running commands] or exploiting
other vulnerabilities within other applications. This type of
exploit can be used in conjunction with other exploits, compounding
the potential malicious usage. These exploits can be modified to
work within any OS, though system restrictions and other security
may mitigate some of the potential exploits.

Adobe Reader and Foxit Reader are vulnerable to this style of
exploit, as may others. Foxit appears to be more exploitable than
Adobe to this particular issue.

Sumatra is apparently immune or doesn't support this type of
exploit, and others may be as well.

Metasploit and several other have provided other or additional
styles of this type of exploit.

REFERENCES/EXAMPLES:
http://blog.didierstevens.com/2010/0...cape-from-pdf/
take particular note of the comment section for indications of how
easy the coding and modifications are.

http://www.metasploit.com/


Dan wrote:
FoxitReader has a new update.


MEB wrote:
Does it supposedly deal with these issues?


You did not quote the issues you refer to in your response. I have put that
part back (above.)

You can easily check for yourself, as can anyone else. Foxit Software has a
security page he
http://www.foxitsoftware.com/pdf/reader/security.htm

Now that you can see the security page for Foxit Software and what patches
they have released and for what reasons those patches were released and the
referenced 'these issues' - do the updates deal with what you reported on
April 1, 2010?

--
Shenan Stanley
MS-MVP
--
How To Ask Questions The Smart Way
http://www.catb.org/~esr/faqs/smart-questions.html


  #9  
Old April 5th 10, 02:45 AM posted to microsoft.public.win98.gen_discussion,microsoft.public.security.homeusers
MEB.peoplescounsel
External Usenet User
 
Posts: 48
Default WARNING - PDF exploits - Adobe and Foxit [and others] readers

On 04/01/2010 06:16 PM, thanatoid wrote:
MEB wrote in
:

SNIP

Thanks for the info.

I have never gotten around to removing AR 5 from my machine,
even though I use the Fox reader for everything. Occasionally,
on stupid sites which give you no choice, instead of DL'g, the
"darn" PDF opens in the Opera browser windows using AR, not Fox. I
would like NOTHING to ever open, and "hack the DL" if I have to.
Do you know where the setting might be to remove the AR opening
automatically?

I suppose I could just remove AR, but then Opera it would
probably find Fox and default to that, which is no good either.

I hope you can make sense of what I just wrote.

Thanks.
t.


Had to change one of your words - didn't make it to MS servers...

Hmm, not sure for AR5 but AR6 is/was [or was this just for developers
editions?]:

[HKEY_CURRENT_USER\Software\Adobe\Adobe Acrobat\6.0\Originals]

"bBrowserIntegration"=dword:00000000


However that would leave some files that MAY still cause issues. How
about this/these [note they refer to XP removals but you should be able
to figure out the 9X folders being referenced, OR just do a "find" for
the file names]:

http://www.instant-registry-fixes.or...dobe-products/
Note the *.ocx files [ActiveX controls] and the dlls...

http://www.ehow.com/how_4925573_remo...be-reader.html

http://www.adobetutorialz.com/articl...bat-Reader-505

You can or should be able to "disable" the *.ocx "helpers" by going to
the folder and right clicking [IIRC].

--
MEB
http://peoplescounsel.org
  #10  
Old April 5th 10, 02:54 AM posted to microsoft.public.win98.gen_discussion,microsoft.public.security.homeusers
thanatoid
External Usenet User
 
Posts: 2,299
Default WARNING - PDF exploits - Adobe and Foxit [and others] readers

"MEB.peoplescounsel" wrote
in :

SNIP

http://www.adobetutorialz.com/articl...emoving-Acroba
t-Reader-505

You can or should be able to "disable" the *.ocx "helpers"
by going to
the folder and right clicking [IIRC].


Thanks very much.
Cheers.

 




Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

vB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
PDF exploits shown in this comparison as exceeding Flash based MEB[_17_] General 73 February 26th 10 04:18 AM
New Adobe Reader Zero Day Exploits - New FireFox exploits MEB[_16_] General 28 May 5th 09 12:29 AM
Foxit 2.3 PDF Reader Doesn't Work with 98 foo General 2 May 15th 08 09:23 PM
Question for Mike M, Foxit Justin Thyme General 3 January 8th 07 11:13 PM
Spybot and DSO Exploits Alias General 2 September 7th 04 04:03 PM


All times are GMT +1. The time now is 03:01 AM.


Powered by vBulletin® Version 3.6.4
Copyright ©2000 - 2024, Jelsoft Enterprises Ltd.
Copyright ©2004-2024 Win98banter.
The comments are property of their posters.