PDF Security problem/exploit

Chiefcrowe

Diamond Member
Sep 15, 2008
5,056
199
116
Has anyone heard of this? I just read through this and it's kinda scary!


http://www.bleepingcomputer.co...index.php/t175838.html

Synopsis of symptoms:
--
SUMMARY: In short, there are some sites that performing remote code execution based on security vulnerabilities in unpatched or un-updated versions of Adobe Acrobat (Reader and Full) version 7 and 8. The rootkit is sent encapsulated in a PDF file and security holes in Acrobat allow the rootkit file to execute after reception. This is the entry point for the rootkit infection. Even if virus scanners peek inside PDF files, it would not be able to detect malicious code if the PDF was encrypted.
Once inside the job of the fake "sysaudio.sys" appears to be to make it easier for its comrades (other infections) to come onboard while limiting user ability to get rid of it.
 

mechBgon

Super Moderator<br>Elite Member
Oct 31, 1999
30,699
1
0
Great reasons to keep one's software up-to-date (Secunia PSI is useful for that) and use a non-Admin account for everyday work.

Using Adobe Reader's vulns to compromise systems is just one of the bad guys' options; Microsoft's latest Security Intelligence Report listed top-tens, including two RealPlayer vulns; see pages 9 and 10 of their key findings summary.
 

VirtualLarry

No Lifer
Aug 25, 2001
56,572
10,208
126
Is Adobe Reader 5.1 with Search vulnerable? That's the version that I run on all of my machines because it's less buggy and very lightweight. PSI just lists it as "end of life", and suggests I upgrade it, but doesn't list any specific known vulnerabilities against v5.1.
 

Chiefcrowe

Diamond Member
Sep 15, 2008
5,056
199
116
while I don't know if it is for this particular bug, i'm sure it is for other things. 5.1 is super old so you should definitely consider updating it!
 

VirtualLarry

No Lifer
Aug 25, 2001
56,572
10,208
126
Originally posted by: Chiefcrowe
while I don't know if it is for this particular bug, i'm sure it is for other things. 5.1 is super old so you should definitely consider updating it!

Ok, what "other things"?

My philosophy is, if is isn't broke, don't fix it, just for the sake of fixing.
 

mechBgon

Super Moderator<br>Elite Member
Oct 31, 1999
30,699
1
0
Originally posted by: VirtualLarry
Originally posted by: Chiefcrowe
while I don't know if it is for this particular bug, i'm sure it is for other things. 5.1 is super old so you should definitely consider updating it!

Ok, what "other things"?

My philosophy is, if is isn't broke, don't fix it, just for the sake of fixing.

The most critical vulnerability in Secunia's database for Acrobat 5.x is a Highly Critical vuln that is resolved by updating to the current version of Adobe Reader (or Acrobat, if you have full-ride Acrobat). So if you didn't, you haven't. http://secunia.com/advisories/16466/

Description:
A vulnerability has been reported in Adobe Reader and Adobe Acrobat, which potentially can be exploited by malicious people to compromise a user's system.

The vulnerability is caused due to an unspecified boundary error in the core application plug-in and can be exploited to cause a buffer overflow when a specially crafted file is opened.

Successful exploitation may allow execution of arbitrary code.

Solution:
Install updated version.

Possible containment strategy if you won't/can't update: use a non-Admin user account and a Software Restriction Policy set to disallowed-by-default. If a payload did get delivered, it's still going to be shot down by SRP. My philosophy is "assume everything is broke (because it'll eventually turn out to be true), and plan accordingly" ;)

 

nordloewelabs

Senior member
Mar 18, 2005
542
0
0
Originally posted by: Chiefcrowe
while I don't know if it is for this particular bug, i'm sure it is for other things. 5.1 is super old so you should definitely consider updating it!

no. he should consider dropping it.
Foxit is a lot lighter and a lot less exploited.

and like mech says: avoid using the admin account.
 

foxit

Junior Member
Feb 17, 2009
3
0
0
Recently we received a number of inquiries regarding the latest Adobe vulnerability; people are concerned whether Foxit Reader is vulnerable to same kind of exploit. We have gathered enough technical information about that vulnerability and confirmed that Foxit Reader is NOT subject to same kind of exploits.

The Adobe vulnerability is caused by some buffer overflow issue within their JBIG2 decoder. Foxit uses our own JBIG2 decoder and it handles those malicious JBIG2 stream gracefully (empty image will be displayed instead of crashing).

More information regarding Adobe vulnerability can be found at http://www.kb.cert.org/vuls/id/905281 or http://www.securityfocus.com/bid/33751.

If you should have any concern over security of PDF and Foxit Reader, feel free to contact us in any way.

Thanks for your attention.