If this is your first visit, be sure to check out the FAQ by clicking the link above. You may have to register before you can post: click the register link above to proceed. To start viewing messages, select the forum that you want to visit from the selection below. |
|
|
Thread Tools | Display Modes |
#11
|
|||
|
|||
WARNING - PDF exploits - Adobe and Foxit [and others] readers
"MEB.peoplescounsel" wrote
in : SNIP http://www.adobetutorialz.com/articl...emoving-Acroba t-Reader-505 You can or should be able to "disable" the *.ocx "helpers" by going to the folder and right clicking [IIRC]. Thanks very much. Cheers. |
#12
|
|||
|
|||
WARNING - PDF exploits - Adobe and Foxit [and others] readers
"MEB.peoplescounsel" wrote
in : SNIP instead of DL'g, the "darn" PDF opens in the Opera browser Had to change one of your words - didn't make it to MS servers... Did I offend the MaSters of the world by using the f word instead of darn? (...) Just occurred to me that I can check... (...) ONE LETTER? Unbelievable. Un-darn-believable. |
#13
|
|||
|
|||
WARNING - PDF exploits - Adobe and Foxit [and others] readers
"MEB.peoplescounsel" wrote
in : SNIP instead of DL'g, the "darn" PDF opens in the Opera browser Had to change one of your words - didn't make it to MS servers... Did I offend the MaSters of the world by using the f word instead of darn? (...) Just occurred to me that I can check... (...) ONE LETTER? Unbelievable. Un-darn-believable. |
#14
|
|||
|
|||
WARNING - PDF exploits - Adobe and Foxit [and others] readers
On 04/04/2010 08:57 PM, Shenan Stanley wrote:
MEB wrote: This particular style of exploit has been around for quite sometime in various forms. I have previously to advise of this style of attack. Yet another party has posted the methodology and provided example coding. Specially and EASILY crafted PDFs can be created to include calls to external applications which are not blocked by JAVA or other restrictions, yet can be run, forcing other unwanted activities [such as opening IE or running commands] or exploiting other vulnerabilities within other applications. This type of exploit can be used in conjunction with other exploits, compounding the potential malicious usage. These exploits can be modified to work within any OS, though system restrictions and other security may mitigate some of the potential exploits. Adobe Reader and Foxit Reader are vulnerable to this style of exploit, as may others. Foxit appears to be more exploitable than Adobe to this particular issue. Sumatra is apparently immune or doesn't support this type of exploit, and others may be as well. Metasploit and several other have provided other or additional styles of this type of exploit. REFERENCES/EXAMPLES: http://blog.didierstevens.com/2010/0...cape-from-pdf/ take particular note of the comment section for indications of how easy the coding and modifications are. http://www.metasploit.com/ Dan wrote: FoxitReader has a new update. MEB wrote: Does it supposedly deal with these issues? You did not quote the issues you refer to in your response. I have put that part back (above.) I didn't because they were already removed. You can easily check for yourself, as can anyone else. Foxit Software has a security page he http://www.foxitsoftware.com/pdf/reader/security.htm Now that you can see the security page for Foxit Software and what patches they have released and for what reasons those patches were released and the referenced 'these issues' - do the updates deal with what you reported on April 1, 2010? Since you have returned the links to the materials, would you say or advise that the issues have been fixed pursuant the original linked materials and your link? Apr. 2, 2010 "Authorization Bypass When Executing An Embedded Executable. SUMMARY Fixed a security issue that Foxit Reader runs an executable embedded program inside a PDF automatically without asking for user’s permission. AFFECTED SOFTWARE VERSION Foxit Reader 3.2.0.0303." Have you personally tested for these vulnerabilities [see for example, the metasploit link] with/after the supposed fix/update? I would opine that they may deal with SOME of those reported issues, I would not go so far as to claim they were completely fixed when taken in conjunction with other exploits/vulnerabilities or per indications of other versions affected; or per other exploits using similar methods [since there appeared to be several methods to achieve the results], would you? -- MEB http://peoplescounsel.org/ref/windows-main.htm Windows Info, Diagnostics, Security, Networking http://peoplescounsel.org The "real world" of Law, Justice, and Government ___--- |
#15
|
|||
|
|||
WARNING - PDF exploits - Adobe and Foxit [and others] readers
On 04/04/2010 08:57 PM, Shenan Stanley wrote:
MEB wrote: This particular style of exploit has been around for quite sometime in various forms. I have previously to advise of this style of attack. Yet another party has posted the methodology and provided example coding. Specially and EASILY crafted PDFs can be created to include calls to external applications which are not blocked by JAVA or other restrictions, yet can be run, forcing other unwanted activities [such as opening IE or running commands] or exploiting other vulnerabilities within other applications. This type of exploit can be used in conjunction with other exploits, compounding the potential malicious usage. These exploits can be modified to work within any OS, though system restrictions and other security may mitigate some of the potential exploits. Adobe Reader and Foxit Reader are vulnerable to this style of exploit, as may others. Foxit appears to be more exploitable than Adobe to this particular issue. Sumatra is apparently immune or doesn't support this type of exploit, and others may be as well. Metasploit and several other have provided other or additional styles of this type of exploit. REFERENCES/EXAMPLES: http://blog.didierstevens.com/2010/0...cape-from-pdf/ take particular note of the comment section for indications of how easy the coding and modifications are. http://www.metasploit.com/ Dan wrote: FoxitReader has a new update. MEB wrote: Does it supposedly deal with these issues? You did not quote the issues you refer to in your response. I have put that part back (above.) I didn't because they were already removed. You can easily check for yourself, as can anyone else. Foxit Software has a security page he http://www.foxitsoftware.com/pdf/reader/security.htm Now that you can see the security page for Foxit Software and what patches they have released and for what reasons those patches were released and the referenced 'these issues' - do the updates deal with what you reported on April 1, 2010? Since you have returned the links to the materials, would you say or advise that the issues have been fixed pursuant the original linked materials and your link? Apr. 2, 2010 "Authorization Bypass When Executing An Embedded Executable. SUMMARY Fixed a security issue that Foxit Reader runs an executable embedded program inside a PDF automatically without asking for user’s permission. AFFECTED SOFTWARE VERSION Foxit Reader 3.2.0.0303." Have you personally tested for these vulnerabilities [see for example, the metasploit link] with/after the supposed fix/update? I would opine that they may deal with SOME of those reported issues, I would not go so far as to claim they were completely fixed when taken in conjunction with other exploits/vulnerabilities or per indications of other versions affected; or per other exploits using similar methods [since there appeared to be several methods to achieve the results], would you? -- MEB http://peoplescounsel.org/ref/windows-main.htm Windows Info, Diagnostics, Security, Networking http://peoplescounsel.org The "real world" of Law, Justice, and Government ___--- |
#16
|
|||
|
|||
WARNING - PDF exploits - Adobe and Foxit [and others] readers
From: "MEB"
| On 04/04/2010 08:57 PM, Shenan Stanley wrote: MEB wrote: This particular style of exploit has been around for quite sometime in various forms. I have previously to advise of this style of attack. Yet another party has posted the methodology and provided example coding. Specially and EASILY crafted PDFs can be created to include calls to external applications which are not blocked by JAVA or other restrictions, yet can be run, forcing other unwanted activities [such as opening IE or running commands] or exploiting other vulnerabilities within other applications. This type of exploit can be used in conjunction with other exploits, compounding the potential malicious usage. These exploits can be modified to work within any OS, though system restrictions and other security may mitigate some of the potential exploits. Adobe Reader and Foxit Reader are vulnerable to this style of exploit, as may others. Foxit appears to be more exploitable than Adobe to this particular issue. Sumatra is apparently immune or doesn't support this type of exploit, and others may be as well. Metasploit and several other have provided other or additional styles of this type of exploit. REFERENCES/EXAMPLES: http://blog.didierstevens.com/2010/0...cape-from-pdf/ take particular note of the comment section for indications of how easy the coding and modifications are. http://www.metasploit.com/ Dan wrote: FoxitReader has a new update. MEB wrote: Does it supposedly deal with these issues? You did not quote the issues you refer to in your response. I have put that part back (above.) | I didn't because they were already removed. You can easily check for yourself, as can anyone else. Foxit Software has a security page he http://www.foxitsoftware.com/pdf/reader/security.htm Now that you can see the security page for Foxit Software and what patches they have released and for what reasons those patches were released and the referenced 'these issues' - do the updates deal with what you reported on April 1, 2010? | Since you have returned the links to the materials, would you say or | advise that the issues have been fixed pursuant the original linked | materials and your link? | Apr. 2, 2010 | "Authorization Bypass When Executing An Embedded Executable. | SUMMARY | Fixed a security issue that Foxit Reader runs an executable embedded | program inside a PDF automatically without asking for user’s permission. | AFFECTED SOFTWARE VERSION | Foxit Reader 3.2.0.0303." | Have you personally tested for these vulnerabilities [see for example, | the metasploit link] with/after the supposed fix/update? | I would opine that they may deal with SOME of those reported issues, I | would not go so far as to claim they were completely fixed when taken in | conjunction with other exploits/vulnerabilities or per indications of | other versions affected; or per other exploits using similar methods | [since there appeared to be several methods to achieve the results], | would you? http://www.us-cert.gov/current/index...t_reader_3_2_1 -- Dave http://www.claymania.com/removal-trojan-adware.html Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp |
#17
|
|||
|
|||
WARNING - PDF exploits - Adobe and Foxit [and others] readers
From: "MEB"
| On 04/04/2010 08:57 PM, Shenan Stanley wrote: MEB wrote: This particular style of exploit has been around for quite sometime in various forms. I have previously to advise of this style of attack. Yet another party has posted the methodology and provided example coding. Specially and EASILY crafted PDFs can be created to include calls to external applications which are not blocked by JAVA or other restrictions, yet can be run, forcing other unwanted activities [such as opening IE or running commands] or exploiting other vulnerabilities within other applications. This type of exploit can be used in conjunction with other exploits, compounding the potential malicious usage. These exploits can be modified to work within any OS, though system restrictions and other security may mitigate some of the potential exploits. Adobe Reader and Foxit Reader are vulnerable to this style of exploit, as may others. Foxit appears to be more exploitable than Adobe to this particular issue. Sumatra is apparently immune or doesn't support this type of exploit, and others may be as well. Metasploit and several other have provided other or additional styles of this type of exploit. REFERENCES/EXAMPLES: http://blog.didierstevens.com/2010/0...cape-from-pdf/ take particular note of the comment section for indications of how easy the coding and modifications are. http://www.metasploit.com/ Dan wrote: FoxitReader has a new update. MEB wrote: Does it supposedly deal with these issues? You did not quote the issues you refer to in your response. I have put that part back (above.) | I didn't because they were already removed. You can easily check for yourself, as can anyone else. Foxit Software has a security page he http://www.foxitsoftware.com/pdf/reader/security.htm Now that you can see the security page for Foxit Software and what patches they have released and for what reasons those patches were released and the referenced 'these issues' - do the updates deal with what you reported on April 1, 2010? | Since you have returned the links to the materials, would you say or | advise that the issues have been fixed pursuant the original linked | materials and your link? | Apr. 2, 2010 | "Authorization Bypass When Executing An Embedded Executable. | SUMMARY | Fixed a security issue that Foxit Reader runs an executable embedded | program inside a PDF automatically without asking for user’s permission. | AFFECTED SOFTWARE VERSION | Foxit Reader 3.2.0.0303." | Have you personally tested for these vulnerabilities [see for example, | the metasploit link] with/after the supposed fix/update? | I would opine that they may deal with SOME of those reported issues, I | would not go so far as to claim they were completely fixed when taken in | conjunction with other exploits/vulnerabilities or per indications of | other versions affected; or per other exploits using similar methods | [since there appeared to be several methods to achieve the results], | would you? http://www.us-cert.gov/current/index...t_reader_3_2_1 -- Dave http://www.claymania.com/removal-trojan-adware.html Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp |
#18
|
|||
|
|||
WARNING - PDF exploits - Adobe and Foxit [and others] readers
On 04/05/2010 05:53 PM, David H. Lipman wrote:
From: "MEB" | On 04/04/2010 08:57 PM, Shenan Stanley wrote: MEB wrote: This particular style of exploit has been around for quite sometime in various forms. I have previously to advise of this style of attack. Yet another party has posted the methodology and provided example coding. Specially and EASILY crafted PDFs can be created to include calls to external applications which are not blocked by JAVA or other restrictions, yet can be run, forcing other unwanted activities [such as opening IE or running commands] or exploiting other vulnerabilities within other applications. This type of exploit can be used in conjunction with other exploits, compounding the potential malicious usage. These exploits can be modified to work within any OS, though system restrictions and other security may mitigate some of the potential exploits. Adobe Reader and Foxit Reader are vulnerable to this style of exploit, as may others. Foxit appears to be more exploitable than Adobe to this particular issue. Sumatra is apparently immune or doesn't support this type of exploit, and others may be as well. Metasploit and several other have provided other or additional styles of this type of exploit. REFERENCES/EXAMPLES: http://blog.didierstevens.com/2010/0...cape-from-pdf/ take particular note of the comment section for indications of how easy the coding and modifications are. http://www.metasploit.com/ Dan wrote: FoxitReader has a new update. MEB wrote: Does it supposedly deal with these issues? You did not quote the issues you refer to in your response. I have put that part back (above.) | I didn't because they were already removed. You can easily check for yourself, as can anyone else. Foxit Software has a security page he http://www.foxitsoftware.com/pdf/reader/security.htm Now that you can see the security page for Foxit Software and what patches they have released and for what reasons those patches were released and the referenced 'these issues' - do the updates deal with what you reported on April 1, 2010? | Since you have returned the links to the materials, would you say or | advise that the issues have been fixed pursuant the original linked | materials and your link? | Apr. 2, 2010 | "Authorization Bypass When Executing An Embedded Executable. | SUMMARY | Fixed a security issue that Foxit Reader runs an executable embedded | program inside a PDF automatically without asking for user�s permission. | AFFECTED SOFTWARE VERSION | Foxit Reader 3.2.0.0303." | Have you personally tested for these vulnerabilities [see for example, | the metasploit link] with/after the supposed fix/update? | I would opine that they may deal with SOME of those reported issues, I | would not go so far as to claim they were completely fixed when taken in | conjunction with other exploits/vulnerabilities or per indications of | other versions affected; or per other exploits using similar methods | [since there appeared to be several methods to achieve the results], | would you? http://www.us-cert.gov/current/index...t_reader_3_2_1 "US-CERT encourages users and administrators to review the Foxit notice regarding the release and upgrade to Foxit Reader 3.2.1.0401 to help mitigate the risks." I think the key word above is "help", perhaps I'm wrong. Last weeks summary of vulnerabilities, in particular relating Oracle/Sun JAVA and IE, seems to be a part of the total picture, add in the OSs themselves and their vulnerabilities and we have a slightly different total picture involved. http://www.us-cert.gov/cas/bulletins/SB10-095.html Oracle released an update: http://www.oracle.com/technology/dep...pumar2010.html "Due to the threat posed by a successful attack, Oracle strongly recommends that customers apply CPU fixes as soon as possible. This Critical Patch Update contains 27 new security fixes across all products." -- MEB http://peoplescounsel.org/ref/windows-main.htm Windows Info, Diagnostics, Security, Networking http://peoplescounsel.org The "real world" of Law, Justice, and Government ___--- |
#19
|
|||
|
|||
WARNING - PDF exploits - Adobe and Foxit [and others] readers
On 04/05/2010 05:53 PM, David H. Lipman wrote:
From: "MEB" | On 04/04/2010 08:57 PM, Shenan Stanley wrote: MEB wrote: This particular style of exploit has been around for quite sometime in various forms. I have previously to advise of this style of attack. Yet another party has posted the methodology and provided example coding. Specially and EASILY crafted PDFs can be created to include calls to external applications which are not blocked by JAVA or other restrictions, yet can be run, forcing other unwanted activities [such as opening IE or running commands] or exploiting other vulnerabilities within other applications. This type of exploit can be used in conjunction with other exploits, compounding the potential malicious usage. These exploits can be modified to work within any OS, though system restrictions and other security may mitigate some of the potential exploits. Adobe Reader and Foxit Reader are vulnerable to this style of exploit, as may others. Foxit appears to be more exploitable than Adobe to this particular issue. Sumatra is apparently immune or doesn't support this type of exploit, and others may be as well. Metasploit and several other have provided other or additional styles of this type of exploit. REFERENCES/EXAMPLES: http://blog.didierstevens.com/2010/0...cape-from-pdf/ take particular note of the comment section for indications of how easy the coding and modifications are. http://www.metasploit.com/ Dan wrote: FoxitReader has a new update. MEB wrote: Does it supposedly deal with these issues? You did not quote the issues you refer to in your response. I have put that part back (above.) | I didn't because they were already removed. You can easily check for yourself, as can anyone else. Foxit Software has a security page he http://www.foxitsoftware.com/pdf/reader/security.htm Now that you can see the security page for Foxit Software and what patches they have released and for what reasons those patches were released and the referenced 'these issues' - do the updates deal with what you reported on April 1, 2010? | Since you have returned the links to the materials, would you say or | advise that the issues have been fixed pursuant the original linked | materials and your link? | Apr. 2, 2010 | "Authorization Bypass When Executing An Embedded Executable. | SUMMARY | Fixed a security issue that Foxit Reader runs an executable embedded | program inside a PDF automatically without asking for user�s permission. | AFFECTED SOFTWARE VERSION | Foxit Reader 3.2.0.0303." | Have you personally tested for these vulnerabilities [see for example, | the metasploit link] with/after the supposed fix/update? | I would opine that they may deal with SOME of those reported issues, I | would not go so far as to claim they were completely fixed when taken in | conjunction with other exploits/vulnerabilities or per indications of | other versions affected; or per other exploits using similar methods | [since there appeared to be several methods to achieve the results], | would you? http://www.us-cert.gov/current/index...t_reader_3_2_1 "US-CERT encourages users and administrators to review the Foxit notice regarding the release and upgrade to Foxit Reader 3.2.1.0401 to help mitigate the risks." I think the key word above is "help", perhaps I'm wrong. Last weeks summary of vulnerabilities, in particular relating Oracle/Sun JAVA and IE, seems to be a part of the total picture, add in the OSs themselves and their vulnerabilities and we have a slightly different total picture involved. http://www.us-cert.gov/cas/bulletins/SB10-095.html Oracle released an update: http://www.oracle.com/technology/dep...pumar2010.html "Due to the threat posed by a successful attack, Oracle strongly recommends that customers apply CPU fixes as soon as possible. This Critical Patch Update contains 27 new security fixes across all products." -- MEB http://peoplescounsel.org/ref/windows-main.htm Windows Info, Diagnostics, Security, Networking http://peoplescounsel.org The "real world" of Law, Justice, and Government ___--- |
#20
|
|||
|
|||
WARNING - PDF exploits - Adobe and Foxit [and others] readers
"MEB" wrote: On 04/05/2010 05:53 PM, David H. Lipman wrote: From: "MEB" | On 04/04/2010 08:57 PM, Shenan Stanley wrote: MEB wrote: This particular style of exploit has been around for quite sometime in various forms. I have previously to advise of this style of attack. Yet another party has posted the methodology and provided example coding. Specially and EASILY crafted PDFs can be created to include calls to external applications which are not blocked by JAVA or other restrictions, yet can be run, forcing other unwanted activities [such as opening IE or running commands] or exploiting other vulnerabilities within other applications. This type of exploit can be used in conjunction with other exploits, compounding the potential malicious usage. These exploits can be modified to work within any OS, though system restrictions and other security may mitigate some of the potential exploits. Adobe Reader and Foxit Reader are vulnerable to this style of exploit, as may others. Foxit appears to be more exploitable than Adobe to this particular issue. Sumatra is apparently immune or doesn't support this type of exploit, and others may be as well. Metasploit and several other have provided other or additional styles of this type of exploit. REFERENCES/EXAMPLES: http://blog.didierstevens.com/2010/0...cape-from-pdf/ take particular note of the comment section for indications of how easy the coding and modifications are. http://www.metasploit.com/ Dan wrote: FoxitReader has a new update. MEB wrote: Does it supposedly deal with these issues? You did not quote the issues you refer to in your response. I have put that part back (above.) | I didn't because they were already removed. You can easily check for yourself, as can anyone else. Foxit Software has a security page he http://www.foxitsoftware.com/pdf/reader/security.htm Now that you can see the security page for Foxit Software and what patches they have released and for what reasons those patches were released and the referenced 'these issues' - do the updates deal with what you reported on April 1, 2010? | Since you have returned the links to the materials, would you say or | advise that the issues have been fixed pursuant the original linked | materials and your link? | Apr. 2, 2010 | "Authorization Bypass When Executing An Embedded Executable. | SUMMARY | Fixed a security issue that Foxit Reader runs an executable embedded | program inside a PDF automatically without asking for user�s permission. | AFFECTED SOFTWARE VERSION | Foxit Reader 3.2.0.0303." | Have you personally tested for these vulnerabilities [see for example, | the metasploit link] with/after the supposed fix/update? | I would opine that they may deal with SOME of those reported issues, I | would not go so far as to claim they were completely fixed when taken in | conjunction with other exploits/vulnerabilities or per indications of | other versions affected; or per other exploits using similar methods | [since there appeared to be several methods to achieve the results], | would you? http://www.us-cert.gov/current/index...t_reader_3_2_1 "US-CERT encourages users and administrators to review the Foxit notice regarding the release and upgrade to Foxit Reader 3.2.1.0401 to help mitigate the risks." I think the key word above is "help", perhaps I'm wrong. Last weeks summary of vulnerabilities, in particular relating Oracle/Sun JAVA and IE, seems to be a part of the total picture, add in the OSs themselves and their vulnerabilities and we have a slightly different total picture involved. http://www.us-cert.gov/cas/bulletins/SB10-095.html Oracle released an update: http://www.oracle.com/technology/dep...pumar2010.html "Due to the threat posed by a successful attack, Oracle strongly recommends that customers apply CPU fixes as soon as possible. This Critical Patch Update contains 27 new security fixes across all products." -- MEB http://peoplescounsel.org/ref/windows-main.htm Windows Info, Diagnostics, Security, Networking http://peoplescounsel.org The "real world" of Law, Justice, and Government ___--- . Meb, I have been researching this vulnerability and apparently the new update to FoxitReader software allows their to be a warning box that will pop up before this vulnerability is launched. http://www.pcworld.com/businesscente...ab ility.html "I've reported it to Foxit Software, and they told me they will issue a fix this week. I don't know what the fix will be, but I assume it will be a warning message, to be in line with the other PDF readers," Stevens said via e-mail. (from the article) http://forums.foxitsoftware.com/showthread.php?t=18044 http://www.kb.cert.org/vuls/id/570177 "This issue is addressed in Foxit Reader 3.2.1.0401. This update will cause Foxit Reader to prompt the user before using a Launch Action." (From US-Cert) It appears that the makers of Foxit Reader are much more concerned about the user's safety and security than the makers of Adobe Reader. |
Thread Tools | |
Display Modes | |
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
PDF exploits shown in this comparison as exceeding Flash based | MEB[_17_] | General | 73 | February 26th 10 03:18 AM |
New Adobe Reader Zero Day Exploits - New FireFox exploits | MEB[_16_] | General | 28 | May 5th 09 12:29 AM |
Foxit 2.3 PDF Reader Doesn't Work with 98 | foo | General | 2 | May 15th 08 09:23 PM |
Question for Mike M, Foxit | Justin Thyme | General | 3 | January 8th 07 10:13 PM |
Spybot and DSO Exploits | Alias | General | 2 | September 7th 04 04:03 PM |