If this is your first visit, be sure to check out the FAQ by clicking the link above. You may have to register before you can post: click the register link above to proceed. To start viewing messages, select the forum that you want to visit from the selection below. |
|
|
|
Thread Tools | Display Modes |
|
#1
|
|||
|
|||
WARNING - PDF exploits - Adobe and Foxit [and others] readers
This particular style of exploit has been around for quite sometime in various forms. I have previously to advise of this style of attack. Yet another party has posted the methodology and provided example coding. Specially and EASILY crafted PDFs can be created to include calls to external applications which are not blocked by JAVA or other restrictions, yet can be run, forcing other unwanted activities [such as opening IE or running commands] or exploiting other vulnerabilities within other applications. This type of exploit can be used in conjunction with other exploits, compounding the potential malicious usage. These exploits can be modified to work within any OS, though system restrictions and other security may mitigate some of the potential exploits. Adobe Reader and Foxit Reader are vulnerable to this style of exploit, as may others. Foxit appears to be more exploitable than Adobe to this particular issue. Sumatra is apparently immune or doesn't support this type of exploit, and others may be as well. Metasploit and several other have provided other or additional styles of this type of exploit. REFERENCES/EXAMPLES: http://blog.didierstevens.com/2010/0...cape-from-pdf/ take particular note of the comment section for indications of how easy the coding and modifications are. http://www.metasploit.com/ -- MEB http://peoplescounsel.org/ref/windows-main.htm Windows Info, Diagnostics, Security, Networking http://peoplescounsel.org The "real world" of Law, Justice, and Government ___--- |
#2
|
|||
|
|||
WARNING - PDF exploits - Adobe and Foxit [and others] readers
FoxitReader has a new update.
|
#3
|
|||
|
|||
WARNING - PDF exploits - Adobe and Foxit [and others] readers
On 04/03/2010 04:51 PM, Dan wrote:
FoxitReader has a new update. Does it supposedly deal with these issues? -- MEB http://peoplescounsel.org/ref/windows-main.htm Windows Info, Diagnostics, Security, Networking http://peoplescounsel.org The "real world" of Law, Justice, and Government ___--- |
#4
|
|||
|
|||
WARNING - PDF exploits - Adobe and Foxit [and others] readers
MEB wrote:
This particular style of exploit has been around for quite sometime in various forms. I have previously to advise of this style of attack. Yet another party has posted the methodology and provided example coding. Specially and EASILY crafted PDFs can be created to include calls to external applications which are not blocked by JAVA or other restrictions, yet can be run, forcing other unwanted activities [such as opening IE or running commands] or exploiting other vulnerabilities within other applications. This type of exploit can be used in conjunction with other exploits, compounding the potential malicious usage. These exploits can be modified to work within any OS, though system restrictions and other security may mitigate some of the potential exploits. Adobe Reader and Foxit Reader are vulnerable to this style of exploit, as may others. Foxit appears to be more exploitable than Adobe to this particular issue. Sumatra is apparently immune or doesn't support this type of exploit, and others may be as well. Metasploit and several other have provided other or additional styles of this type of exploit. REFERENCES/EXAMPLES: http://blog.didierstevens.com/2010/0...cape-from-pdf/ take particular note of the comment section for indications of how easy the coding and modifications are. http://www.metasploit.com/ Dan wrote: FoxitReader has a new update. MEB wrote: Does it supposedly deal with these issues? You did not quote the issues you refer to in your response. I have put that part back (above.) You can easily check for yourself, as can anyone else. Foxit Software has a security page he http://www.foxitsoftware.com/pdf/reader/security.htm Now that you can see the security page for Foxit Software and what patches they have released and for what reasons those patches were released and the referenced 'these issues' - do the updates deal with what you reported on April 1, 2010? -- Shenan Stanley MS-MVP -- How To Ask Questions The Smart Way http://www.catb.org/~esr/faqs/smart-questions.html |
#5
|
|||
|
|||
WARNING - PDF exploits - Adobe and Foxit [and others] readers
On 04/04/2010 08:57 PM, Shenan Stanley wrote:
MEB wrote: This particular style of exploit has been around for quite sometime in various forms. I have previously to advise of this style of attack. Yet another party has posted the methodology and provided example coding. Specially and EASILY crafted PDFs can be created to include calls to external applications which are not blocked by JAVA or other restrictions, yet can be run, forcing other unwanted activities [such as opening IE or running commands] or exploiting other vulnerabilities within other applications. This type of exploit can be used in conjunction with other exploits, compounding the potential malicious usage. These exploits can be modified to work within any OS, though system restrictions and other security may mitigate some of the potential exploits. Adobe Reader and Foxit Reader are vulnerable to this style of exploit, as may others. Foxit appears to be more exploitable than Adobe to this particular issue. Sumatra is apparently immune or doesn't support this type of exploit, and others may be as well. Metasploit and several other have provided other or additional styles of this type of exploit. REFERENCES/EXAMPLES: http://blog.didierstevens.com/2010/0...cape-from-pdf/ take particular note of the comment section for indications of how easy the coding and modifications are. http://www.metasploit.com/ Dan wrote: FoxitReader has a new update. MEB wrote: Does it supposedly deal with these issues? You did not quote the issues you refer to in your response. I have put that part back (above.) I didn't because they were already removed. You can easily check for yourself, as can anyone else. Foxit Software has a security page he http://www.foxitsoftware.com/pdf/reader/security.htm Now that you can see the security page for Foxit Software and what patches they have released and for what reasons those patches were released and the referenced 'these issues' - do the updates deal with what you reported on April 1, 2010? Since you have returned the links to the materials, would you say or advise that the issues have been fixed pursuant the original linked materials and your link? Apr. 2, 2010 "Authorization Bypass When Executing An Embedded Executable. SUMMARY Fixed a security issue that Foxit Reader runs an executable embedded program inside a PDF automatically without asking for user’s permission. AFFECTED SOFTWARE VERSION Foxit Reader 3.2.0.0303." Have you personally tested for these vulnerabilities [see for example, the metasploit link] with/after the supposed fix/update? I would opine that they may deal with SOME of those reported issues, I would not go so far as to claim they were completely fixed when taken in conjunction with other exploits/vulnerabilities or per indications of other versions affected; or per other exploits using similar methods [since there appeared to be several methods to achieve the results], would you? -- MEB http://peoplescounsel.org/ref/windows-main.htm Windows Info, Diagnostics, Security, Networking http://peoplescounsel.org The "real world" of Law, Justice, and Government ___--- |
#6
|
|||
|
|||
WARNING - PDF exploits - Adobe and Foxit [and others] readers
From: "MEB"
| On 04/04/2010 08:57 PM, Shenan Stanley wrote: MEB wrote: This particular style of exploit has been around for quite sometime in various forms. I have previously to advise of this style of attack. Yet another party has posted the methodology and provided example coding. Specially and EASILY crafted PDFs can be created to include calls to external applications which are not blocked by JAVA or other restrictions, yet can be run, forcing other unwanted activities [such as opening IE or running commands] or exploiting other vulnerabilities within other applications. This type of exploit can be used in conjunction with other exploits, compounding the potential malicious usage. These exploits can be modified to work within any OS, though system restrictions and other security may mitigate some of the potential exploits. Adobe Reader and Foxit Reader are vulnerable to this style of exploit, as may others. Foxit appears to be more exploitable than Adobe to this particular issue. Sumatra is apparently immune or doesn't support this type of exploit, and others may be as well. Metasploit and several other have provided other or additional styles of this type of exploit. REFERENCES/EXAMPLES: http://blog.didierstevens.com/2010/0...cape-from-pdf/ take particular note of the comment section for indications of how easy the coding and modifications are. http://www.metasploit.com/ Dan wrote: FoxitReader has a new update. MEB wrote: Does it supposedly deal with these issues? You did not quote the issues you refer to in your response. I have put that part back (above.) | I didn't because they were already removed. You can easily check for yourself, as can anyone else. Foxit Software has a security page he http://www.foxitsoftware.com/pdf/reader/security.htm Now that you can see the security page for Foxit Software and what patches they have released and for what reasons those patches were released and the referenced 'these issues' - do the updates deal with what you reported on April 1, 2010? | Since you have returned the links to the materials, would you say or | advise that the issues have been fixed pursuant the original linked | materials and your link? | Apr. 2, 2010 | "Authorization Bypass When Executing An Embedded Executable. | SUMMARY | Fixed a security issue that Foxit Reader runs an executable embedded | program inside a PDF automatically without asking for user’s permission. | AFFECTED SOFTWARE VERSION | Foxit Reader 3.2.0.0303." | Have you personally tested for these vulnerabilities [see for example, | the metasploit link] with/after the supposed fix/update? | I would opine that they may deal with SOME of those reported issues, I | would not go so far as to claim they were completely fixed when taken in | conjunction with other exploits/vulnerabilities or per indications of | other versions affected; or per other exploits using similar methods | [since there appeared to be several methods to achieve the results], | would you? http://www.us-cert.gov/current/index...t_reader_3_2_1 -- Dave http://www.claymania.com/removal-trojan-adware.html Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp |
#7
|
|||
|
|||
WARNING - PDF exploits - Adobe and Foxit [and others] readers
From: "MEB"
| On 04/04/2010 08:57 PM, Shenan Stanley wrote: MEB wrote: This particular style of exploit has been around for quite sometime in various forms. I have previously to advise of this style of attack. Yet another party has posted the methodology and provided example coding. Specially and EASILY crafted PDFs can be created to include calls to external applications which are not blocked by JAVA or other restrictions, yet can be run, forcing other unwanted activities [such as opening IE or running commands] or exploiting other vulnerabilities within other applications. This type of exploit can be used in conjunction with other exploits, compounding the potential malicious usage. These exploits can be modified to work within any OS, though system restrictions and other security may mitigate some of the potential exploits. Adobe Reader and Foxit Reader are vulnerable to this style of exploit, as may others. Foxit appears to be more exploitable than Adobe to this particular issue. Sumatra is apparently immune or doesn't support this type of exploit, and others may be as well. Metasploit and several other have provided other or additional styles of this type of exploit. REFERENCES/EXAMPLES: http://blog.didierstevens.com/2010/0...cape-from-pdf/ take particular note of the comment section for indications of how easy the coding and modifications are. http://www.metasploit.com/ Dan wrote: FoxitReader has a new update. MEB wrote: Does it supposedly deal with these issues? You did not quote the issues you refer to in your response. I have put that part back (above.) | I didn't because they were already removed. You can easily check for yourself, as can anyone else. Foxit Software has a security page he http://www.foxitsoftware.com/pdf/reader/security.htm Now that you can see the security page for Foxit Software and what patches they have released and for what reasons those patches were released and the referenced 'these issues' - do the updates deal with what you reported on April 1, 2010? | Since you have returned the links to the materials, would you say or | advise that the issues have been fixed pursuant the original linked | materials and your link? | Apr. 2, 2010 | "Authorization Bypass When Executing An Embedded Executable. | SUMMARY | Fixed a security issue that Foxit Reader runs an executable embedded | program inside a PDF automatically without asking for user’s permission. | AFFECTED SOFTWARE VERSION | Foxit Reader 3.2.0.0303." | Have you personally tested for these vulnerabilities [see for example, | the metasploit link] with/after the supposed fix/update? | I would opine that they may deal with SOME of those reported issues, I | would not go so far as to claim they were completely fixed when taken in | conjunction with other exploits/vulnerabilities or per indications of | other versions affected; or per other exploits using similar methods | [since there appeared to be several methods to achieve the results], | would you? http://www.us-cert.gov/current/index...t_reader_3_2_1 -- Dave http://www.claymania.com/removal-trojan-adware.html Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp |
#8
|
|||
|
|||
WARNING - PDF exploits - Adobe and Foxit [and others] readers
On 04/04/2010 08:57 PM, Shenan Stanley wrote:
MEB wrote: This particular style of exploit has been around for quite sometime in various forms. I have previously to advise of this style of attack. Yet another party has posted the methodology and provided example coding. Specially and EASILY crafted PDFs can be created to include calls to external applications which are not blocked by JAVA or other restrictions, yet can be run, forcing other unwanted activities [such as opening IE or running commands] or exploiting other vulnerabilities within other applications. This type of exploit can be used in conjunction with other exploits, compounding the potential malicious usage. These exploits can be modified to work within any OS, though system restrictions and other security may mitigate some of the potential exploits. Adobe Reader and Foxit Reader are vulnerable to this style of exploit, as may others. Foxit appears to be more exploitable than Adobe to this particular issue. Sumatra is apparently immune or doesn't support this type of exploit, and others may be as well. Metasploit and several other have provided other or additional styles of this type of exploit. REFERENCES/EXAMPLES: http://blog.didierstevens.com/2010/0...cape-from-pdf/ take particular note of the comment section for indications of how easy the coding and modifications are. http://www.metasploit.com/ Dan wrote: FoxitReader has a new update. MEB wrote: Does it supposedly deal with these issues? You did not quote the issues you refer to in your response. I have put that part back (above.) I didn't because they were already removed. You can easily check for yourself, as can anyone else. Foxit Software has a security page he http://www.foxitsoftware.com/pdf/reader/security.htm Now that you can see the security page for Foxit Software and what patches they have released and for what reasons those patches were released and the referenced 'these issues' - do the updates deal with what you reported on April 1, 2010? Since you have returned the links to the materials, would you say or advise that the issues have been fixed pursuant the original linked materials and your link? Apr. 2, 2010 "Authorization Bypass When Executing An Embedded Executable. SUMMARY Fixed a security issue that Foxit Reader runs an executable embedded program inside a PDF automatically without asking for user’s permission. AFFECTED SOFTWARE VERSION Foxit Reader 3.2.0.0303." Have you personally tested for these vulnerabilities [see for example, the metasploit link] with/after the supposed fix/update? I would opine that they may deal with SOME of those reported issues, I would not go so far as to claim they were completely fixed when taken in conjunction with other exploits/vulnerabilities or per indications of other versions affected; or per other exploits using similar methods [since there appeared to be several methods to achieve the results], would you? -- MEB http://peoplescounsel.org/ref/windows-main.htm Windows Info, Diagnostics, Security, Networking http://peoplescounsel.org The "real world" of Law, Justice, and Government ___--- |
#9
|
|||
|
|||
WARNING - PDF exploits - Adobe and Foxit [and others] readers
MEB wrote:
This particular style of exploit has been around for quite sometime in various forms. I have previously to advise of this style of attack. Yet another party has posted the methodology and provided example coding. Specially and EASILY crafted PDFs can be created to include calls to external applications which are not blocked by JAVA or other restrictions, yet can be run, forcing other unwanted activities [such as opening IE or running commands] or exploiting other vulnerabilities within other applications. This type of exploit can be used in conjunction with other exploits, compounding the potential malicious usage. These exploits can be modified to work within any OS, though system restrictions and other security may mitigate some of the potential exploits. Adobe Reader and Foxit Reader are vulnerable to this style of exploit, as may others. Foxit appears to be more exploitable than Adobe to this particular issue. Sumatra is apparently immune or doesn't support this type of exploit, and others may be as well. Metasploit and several other have provided other or additional styles of this type of exploit. REFERENCES/EXAMPLES: http://blog.didierstevens.com/2010/0...cape-from-pdf/ take particular note of the comment section for indications of how easy the coding and modifications are. http://www.metasploit.com/ Dan wrote: FoxitReader has a new update. MEB wrote: Does it supposedly deal with these issues? You did not quote the issues you refer to in your response. I have put that part back (above.) You can easily check for yourself, as can anyone else. Foxit Software has a security page he http://www.foxitsoftware.com/pdf/reader/security.htm Now that you can see the security page for Foxit Software and what patches they have released and for what reasons those patches were released and the referenced 'these issues' - do the updates deal with what you reported on April 1, 2010? -- Shenan Stanley MS-MVP -- How To Ask Questions The Smart Way http://www.catb.org/~esr/faqs/smart-questions.html |
#10
|
|||
|
|||
WARNING - PDF exploits - Adobe and Foxit [and others] readers
On 04/03/2010 04:51 PM, Dan wrote:
FoxitReader has a new update. Does it supposedly deal with these issues? -- MEB http://peoplescounsel.org/ref/windows-main.htm Windows Info, Diagnostics, Security, Networking http://peoplescounsel.org The "real world" of Law, Justice, and Government ___--- |
|
Thread Tools | |
Display Modes | |
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
PDF exploits shown in this comparison as exceeding Flash based | MEB[_17_] | General | 73 | February 26th 10 03:18 AM |
New Adobe Reader Zero Day Exploits - New FireFox exploits | MEB[_16_] | General | 28 | May 5th 09 12:29 AM |
Foxit 2.3 PDF Reader Doesn't Work with 98 | foo | General | 2 | May 15th 08 09:23 PM |
Question for Mike M, Foxit | Justin Thyme | General | 3 | January 8th 07 10:13 PM |
Spybot and DSO Exploits | Alias | General | 2 | September 7th 04 04:03 PM |