topbanner_forum
  *

avatar image

Welcome, Guest. Please login or register.
Did you miss your activation email?

Login with username, password and session length
  • Thursday March 28, 2024, 4:26 am
  • Proudly celebrating 15+ years online.
  • Donate now to become a lifetime supporting member of the site and get a non-expiring license key for all of our programs.
  • donate

Last post Author Topic: Acrobat bug can lead to malware installs without even opening an infected file  (Read 24855 times)

mouser

  • First Author
  • Administrator
  • Joined in 2005
  • *****
  • Posts: 40,896
    • View Profile
    • Mouser's Software Zone on DonationCoder.com
    • Read more about this member.
    • Donate to Member
If you've been living in fear of opening any suspicious PDF files since we let you know about a still-unpatched bug in Adobe Acrobat that could expose your PC to a malware infection, we've got some bad news for you: it turns out that, due to how the bug is integrated into the software, it's possible for malware authors to still get into your system, even if you never actually open an infected file.

The bug affects only Windows computers running Acrobat version 7 or later. Because the program doesn't correctly read PDF files containing a certain type of compressed image, a specially-crafted PDF can at once crash Acrobat and inject its own code into the system, beginning a malware installation. Even though this bug's been public knowledge for weeks, and exploits are already out taking advantage of it, Adobe has been delaying its release of a patch to fix it, scheduled to be available on the 11th.



from http://www.downloads...n-originally-tought/

f0dder

  • Charter Honorary Member
  • Joined in 2005
  • ***
  • Posts: 9,153
  • [Well, THAT escalated quickly!]
    • View Profile
    • f0dder's place
    • Read more about this member.
    • Donate to Member
Oh wonderful, exploits for metadata parsing in the document handler? Greeeeat code, adobe.

Good thing I haven't had Adobe Reader installed for a long time :)
- carpe noctem

lanux128

  • Global Moderator
  • Joined in 2005
  • *****
  • Posts: 6,277
    • View Profile
    • Donate to Member
just when you thought it was safe to go back to Adobe Reader.. i wonder if Foxit is also affected by this bug. :-\

f0dder

  • Charter Honorary Member
  • Joined in 2005
  • ***
  • Posts: 9,153
  • [Well, THAT escalated quickly!]
    • View Profile
    • f0dder's place
    • Read more about this member.
    • Donate to Member
just when you thought it was safe to go back to Adobe Reader.. i wonder if Foxit is also affected by this bug. :-\
Why would you go back to adobe? :)

But no, Foxit shouldn't be affected by the bug - unless they've copied Adobe's document handler :) (but as the article says: if you have adobe reader installed on your system, it doesn't matter if you use another program to view PDF files.)
- carpe noctem

app103

  • That scary taskbar girl
  • Global Moderator
  • Joined in 2006
  • *****
  • Posts: 5,884
    • View Profile
    • Donate to Member
it turns out that, due to how the bug is integrated into the software, it's possible for malware authors to still get into your system, even if you never actually open an infected file.

The bug affects only Windows computers running Acrobat version 7 or later. Because the program doesn't correctly read PDF files containing a certain type of compressed image, a specially-crafted PDF can at once crash Acrobat and inject its own code into the system, beginning a malware installation.

i wonder if Foxit is also affected by this bug.

I believe this is the thumbnails that Adobe Reader displays in Explorer, which Foxit doesn't. So you could be safe from this, unless it also affects the other data displayed such as author & title.

Without Adobe Reader on your system (I uninstalled it awhile back because I got totally fed up) Foxit doesn't display pretty little image thumbnails of PDF files. You get the default Foxit icon and nothing more.

With Adobe Reader on your system, even though Foxit is your default reader, you still get those pretty exploitable thumbnail images in PDF files showing in Explorer.

Something similar happened awhile back with HTML thumbnails, and this is why you don't see them in Explorer any more. Microsoft removed the ability to render thumbnails of html pages located on your hard drive with one of the service packs in Win2k, and XP SP2. The only versions of Windows still able to render HTML thumbnails in Explorer is 2k & XP that hasn't been updated and Win9x.

Incidentally, there are other applications using Adobe's PDF technology, including their thumbnail rendering stuff...namely digital magazine & textbook readers that have licensed the technology from Adobe, like Zinio Reader (Adobe Reader on steroids, with special DRM stuff). So even if you uninstall Adobe Reader from your system, if you have Zinio installed for automatic delivery and ability to read your magazines & textbooks offline, it's quite possible that you could still be vulnerable. So if you get magazines from Zinio, it might be in your best interest to uninstall their reader and use their web reader to read your magazines online. (I am not about to install their huge bloated reader to test if it restores the pdf thumbnails in Explorer, or just their magazine thumbnails)

If you have textbooks from Zinio, I am not sure if they allow online viewing of those, so I don't know what to suggest for you to do.

I am starting to get suspicious of anything that can render thumbnails of images in Explorer, because I think the vulnerability has it's roots in Explorer itself. I am wondering if I should turn off Explorer thumbnails in Paintshop Pro (for .psp & .tub files), before someone figures out how to exploit that too.

lanux128

  • Global Moderator
  • Joined in 2005
  • *****
  • Posts: 6,277
    • View Profile
    • Donate to Member
just when you thought it was safe to go back to Adobe Reader.. i wonder if Foxit is also affected by this bug. :-\
Why would you go back to adobe? :)

i use Foxit Reader but as a part of my work, i need to maintain a portable install of each versions - 6, 7, & 8 to view incompatibilities. btw, it's a joke based on the promotional slogan of Jaws 2, being a bad sequel and all. :)

J-Mac

  • Supporting Member
  • Joined in 2007
  • **
  • Posts: 2,918
    • View Profile
    • Donate to Member
Just uninstalled Acro Reader w/Revo Uninstaller. It had surprisingly few left over registry entries. I also have Foxit for viewing PDF files, and Nuance PDF Converter 5 Professional for creating and editing PDF files. That's what I always use anyway. I can't remember what application I installed that also installed Adobe Reader 8 but it did it without asking first. I do remember that much. Pitiful.

Thanks!

Jim

Steven Avery

  • Supporting Member
  • Joined in 2006
  • **
  • default avatar
  • Posts: 1,038
    • View Profile
    • Donate to Member
Hi Folks,

My normal PDF method is PDF X-Change Viewer, working as a window in Firefox 3.  Also use the PDF Download extension, although I generally just say "Bypass" which opens the new Tab with the PDF. (Sidenote: Linkman opening urls seems to bypass the PDF Download extension, which is fine by me.) Looks real good, when I tried Foxit it did not seem quite as strong, I think it was weaker on viewing and maybe some cut-and-paste issues.  I know PDF-Xchange does my pops CPA tax forms fine.

So I am undecided about uninstalling Acrobat. I hardly use Windows Explorer, and it is unclear .. perhaps it can cause harm just en passant ?

(Added note: Revo didn't do much, apparently it uninstalled from its list .. but it still opens up.  A bit of a puzzle.  Maybe will try a reinstall followed by uninstall.  It also has a security update entry, and there are lots of other Adobe entries.)

Hmm.. my Opera is still opening the Adobe reader.
So Tools-Preferences-Advanced-Download

So I made some changes there .. apparently there is an Opera Plug-in to see the PDF-Xchange inline, but opening in the PDF-Xchange program is good too (biggest disadvantage.. you cannot immediately Linkman bookmark).  Anyway, the Opera plug-in may not really exist yet.

Also I opened PDF X-Change and had it change my system-wide file association to take over.

So now the clunky Adobe reader is probably fully out of the picture ?  Is it still necessary to kill it more ?  Granted that might be a nice finish.

==========================

This is a well-done view of PDF X-Change

http://homepage.ntlw...tml/pdf-xchange.html
PDF-XChange - Free PDF Viewer

Yes, I know Fox-It is a great program too, and leaner and quicker in some ways.  So it gets full respect also.

Shalom,
Steven
« Last Edit: March 08, 2009, 04:31 AM by Steven Avery »

f0dder

  • Charter Honorary Member
  • Joined in 2005
  • ***
  • Posts: 9,153
  • [Well, THAT escalated quickly!]
    • View Profile
    • f0dder's place
    • Read more about this member.
    • Donate to Member
Whether you use Adobe Reader or not, you have an attack vector if it's installed - it's not just Windows Explorer that opens you to the attack, but any file manager that uses the standard file property sheet stuff... which means basically any alternate file manager I've seen.

So you really do need to uninstall AR, and do it completely :)
- carpe noctem

Darwin

  • Charter Member
  • Joined in 2005
  • ***
  • Posts: 6,984
    • View Profile
    • Donate to Member
Done! Thanks mouser for pointing this out as I would have been oblivious otherwise. There's a silver lining, too - I've discovered that PDF Converter Professional 5 is as quick opening up a pdf as the Adobe Reader (ie under a second) so I've got one less application installed  :Thmbsup:

Steven Avery

  • Supporting Member
  • Joined in 2006
  • **
  • default avatar
  • Posts: 1,038
    • View Profile
    • Donate to Member
So you really do need to uninstall AR, and do it completely :)
-f0dder
Good advice. And taken.

Especially easy since we know the alternatives work much better for regular, simple daily use.  I really like viewing the PDFs in Firefox and having the bookmarking of Firefox and the loading quickness of PDF-XChange.

I had stumbled by removing the entry in Revo instead of uninstalling .. so after a reinstall it showed up again, allowing a full enough uninstall.

Shalom,
Steven
« Last Edit: March 08, 2009, 10:56 AM by Steven Avery »

J-Mac

  • Supporting Member
  • Joined in 2007
  • **
  • Posts: 2,918
    • View Profile
    • Donate to Member
Steve - OK, I see you posted what you did accidentally. I was going to comment that Revo uninstalled the Adobe Reader fine here.

Glad you got it sorted out!

Jim

Darwin

  • Charter Member
  • Joined in 2005
  • ***
  • Posts: 6,984
    • View Profile
    • Donate to Member
Just to note - I uninstalled Adobe Reader from my wife's machine and installed Foxit Reader 3 - VERY impressed. I like the fact that it integrates with Firefox... PDF Converter Pro doesn't do this, but I'm not really complaining  :)

app103

  • That scary taskbar girl
  • Global Moderator
  • Joined in 2006
  • *****
  • Posts: 5,884
    • View Profile
    • Donate to Member
If you are going to use Firefox integration for any PDF reader, please consider installing PDF Download to give you a dialog asking what you want to do, when you hit a PDF.

It will stop unexpected (and sometimes undesirable) surprises, by giving you an option to open in browser, externally, save to your hard drive, or view as html.


Bonus: it also allows you to convert pages to PDF, preserving links.

Darwin

  • Charter Member
  • Joined in 2005
  • ***
  • Posts: 6,984
    • View Profile
    • Donate to Member
If you are going to use Firefox integration for any PDF reader, please consider installing PDF Download to give you a dialog asking what you want to do, when you hit a PDF.

It will stop unexpected (and sometimes undesirable) surprises, by giving you an option to open in browser, externally, save to your hard drive, or view as html.


Bonus: it also allows you to convert pages to PDF, preserving links.

Yeah, I came upon this yesterday when looking for a plug-in to enable viewing pdfs within Firefox (ie to enable me to use PDF Converter Pro to view pdfs within Firefox...). However, I decided not to download it because I don't mind having pdfs open in an external viewer.

FWIW, I'm always asked what I want to do with pdfs (open with PDF Converter or save), so am not sure what additional benefit PDF Download will give me?

EDIT: Doh! I really need to learn to READ  :-[ I'll look at PDF Download again, for my wife's computer, as I infer that that's the situation to which you were referring!

tomos

  • Charter Member
  • Joined in 2006
  • ***
  • Posts: 11,959
    • View Profile
    • Donate to Member
...
Bonus: it also allows you to convert pages to PDF, preserving links.
and a very nice bonus with that, thanks :)
Tom

Deozaan

  • Charter Member
  • Joined in 2006
  • ***
  • Points: 1
  • Posts: 9,747
    • View Profile
    • Read more about this member.
    • Donate to Member
Yeah, I came upon this yesterday when looking for a plug-in to enable viewing pdfs within Firefox (ie to enable me to use PDF Converter Pro to view pdfs within Firefox...). However, I decided not to download it because I don't mind having pdfs open in an external viewer.

FWIW, I'm always asked what I want to do with pdfs (open with PDF Converter or save), so am not sure what additional benefit PDF Download will give me?

I prefer PDFs to open in an external viewer. But Acrobat integrates in IE and Firefox and I absolutely HATE it when PDF files display in my browser. So I've been using PDF Download for a while to 1) try to view the PDF as HTML inside the browser and/or 2) force the browser to download the PDF to launch in an external viewer.

But now that I've uninstalled Acrobat and installed Foxit Reader, that doesn't seem to be an issue anymore. :Thmbsup:

Darwin

  • Charter Member
  • Joined in 2005
  • ***
  • Posts: 6,984
    • View Profile
    • Donate to Member
Ha, ha! Always a silver lining, eh? Not unlike my "Eureka" moment when I realized that I don't acutally *need* a separate pdf viewer after I uninstalled Acrobat Reader  :Thmbsup:

xtabber

  • Supporting Member
  • Joined in 2007
  • **
  • Posts: 618
    • View Profile
    • Donate to Member
FWIW, Foxit Reader 2.3 and 3.0 had the same security flaw (JBIG2 Trigger) as Adobe Reader, so replacing AR with FR did not remove the threat. Foxit released a patch today (http://www.foxitsoft.../reader/security.htm ), while Adobe is still saying that theirs will be released on Wednesday.

I recall reading somewhere that one could protect against this particular exploit by disabling Javascript in Adobe Reader, but I don't know if that is in fact true.


f0dder

  • Charter Honorary Member
  • Joined in 2005
  • ***
  • Posts: 9,153
  • [Well, THAT escalated quickly!]
    • View Profile
    • f0dder's place
    • Read more about this member.
    • Donate to Member
Hm. JBIG2 - fax image compression stuff? If that's what's exploited, I very much doubt disabling javascript is going to protect you. Unfortunate that foxit also has (had) the flaw, I guess foxit and adobe are using the same library for handling the image compression?

At least foxit shouldn't be just as exploitable as AR though, since it's AR that installs the explorer content filter thingamajig :)

Thanks for bringing this to our attention, xtabber!
- carpe noctem
« Last Edit: March 09, 2009, 06:10 PM by f0dder »

Josh

  • Charter Honorary Member
  • Joined in 2005
  • ***
  • Points: 45
  • Posts: 3,411
    • View Profile
    • Donate to Member
You know, I love threads like this. Please hear me out.

Everytime a company starts out, they have an idea people like. When the idea catches on, they add the features that are requested by the major users of the product. After doing such, many of the smaller people jump ship and complain about bloat. This has happened to windows, this happened to symantec, this happened to adobe, and this happened to pretty much any company that made it big.

I understand the logic in that people want a product to stay small, but for a product to grow and catch new users, the developers have to add the features that are called for. Adobe reader is a fantastic product. I own, and just renewed actually, a license to several foxit products including the reader pro pack and pdf editor. While foxit's products are nice for portability, they do not hold a candle in usability when compared to adobe's products. Yes, adobe has been hit with an onslaught of vulnerabilities lately, but the issue lies deeper than adobe "not trying to find them" or "not filtering the code so they never existed in the first place".

There are only a finite amount of resources available for most companies R&D and testing departments. Beta testing helps alleviate this but it does not find everything. Adobe seems to have received lots of ridicule on this very site for the bugs that have been found. Would it have been nice if they were caught prior to this? Of course. The problem lies in that every piece of software is developed by man. Man is by nature fallible. As such, the software created by a fallible being is in and of itself fallible. How any person can sit and say "With a staff this large they should have caught these bugs" is laughable. There are millions upon millions of configurations that adobe and the beta test team simply cannot account for.

There is a reason Apple has made their software installable on only a limited amount of hardware. If apple had the same amount of hardware to support, they would have the same issues. The issue is not microsoft product centric, it just falls that way because A. Apple controls very tightly what hardware their products will install on without hacking, B. Linux is not supported by many major manufacturers minus the server side because it, in all reality, is not a feasible product for enterprise-wide deployment on a desktop scale, and C. Microsoft, like it or not, is the largest software company in the world and it's products are capable of supporting an infinite number of platform configurations. Microsoft has catered to what it's users want which is an OS which can install on any platform and perform a variety of tasks out of the box. Many of the problems we are seeing in many of these products relate to features which are either new, or very often not utilized as often as people proclaim.

So please, I ask for people to stop saying "Switch to XXX" whenever a vulnerability appears. Switching will not solve anything because as soon as that product makes it big, it will turn into every other product out there. Time has shown this to be definite and inevitable for any software manufacturer which makes it big. Let's focus on helping these companies detect and fix these issues in a timely manner rather than abandoning them because of a few flaws which, in well over half of the cases, never affect anything more than half a percent of the population.

Darwin

  • Charter Member
  • Joined in 2005
  • ***
  • Posts: 6,984
    • View Profile
    • Donate to Member
Man is by nature fallible.

Spaek fro yursef.

J-Mac

  • Supporting Member
  • Joined in 2007
  • **
  • Posts: 2,918
    • View Profile
    • Donate to Member
<p>Josh, I disagree that Adobe Reader had to grow as large as it has because of disparate user needs. Adobe finally got a little smarter with v.9 by not having so much load every time you open a PDF document, but it still loads way too much. E.g.:

PDF File size = 4.54 MB:  Adobe Reader 8: 46,320 kb; Foxit Reader 3: 8,220 kb

PDF File size = 6.34 MB:  Adobe Reader 8: 47,032 kb;  Foxit Reader 3: 10,456 kb

No file - Just start the app:  Adobe Reader 35,842 kb;  Foxit Reader 3: 3,952 kb

That's just too much of a hit on memory IMO. Not necessary if you are not using any other features. If other users all over the world have differing needs then create modules that can be added as needed.

Jim

f0dder

  • Charter Honorary Member
  • Joined in 2005
  • ***
  • Posts: 9,153
  • [Well, THAT escalated quickly!]
    • View Profile
    • f0dder's place
    • Read more about this member.
    • Donate to Member
While foxit's products are nice for portability, they do not hold a candle in usability when compared to adobe's products.
-Josh
If you only need PDF reading, and not authoring, just what advantages does Adobe Reader have over Foxit? For my needs, FR is superior to AR because of it's simplicity and smaller size.

While foxit's products are nice for portability, they do not hold a candle in usability when compared to adobe's products.
-Josh
Perhaps Adobe should spend a bit more time on testing and bugfixing than adding useless graphical glitz (like the skinned crap in recent AR versions).

There is a reason Apple has made their software installable on only a limited amount of hardware. If apple had the same amount of hardware to support, they would have the same issues.
-Josh
Bullshit. They would have more driver issues, yeah, but software bugs are only very rarely hardware-dependent.
- carpe noctem

app103

  • That scary taskbar girl
  • Global Moderator
  • Joined in 2006
  • *****
  • Posts: 5,884
    • View Profile
    • Donate to Member
There is a reason Apple has made their software installable on only a limited amount of hardware. If apple had the same amount of hardware to support, they would have the same issues. The issue is not microsoft product centric, it just falls that way because A. Apple controls very tightly what hardware their products will install on without hacking, B. Linux is not supported by many major manufacturers minus the server side because it, in all reality, is not a feasible product for enterprise-wide deployment on a desktop scale, and C. Microsoft, like it or not, is the largest software company in the world and it's products are capable of supporting an infinite number of platform configurations. Microsoft has catered to what it's users want which is an OS which can install on any platform and perform a variety of tasks out of the box. Many of the problems we are seeing in many of these products relate to features which are either new, or very often not utilized as often as people proclaim.

Looks like OSX, iPhone, and possibly *nix may be vulnerable to this too.

http://isc.sans.org/...ry.html?storyid=5932