Security holes in numerous PDF applications allow attackers to infect systems with malware.

[CalvinHobbes]

http://www.h-online.com/securi...plications-833449.html


Security holes in numerous PDF applications allow attackers to infect systems with malware. When loading and unloading certain COM objects, for instance, the Foxit plug-in (npFoxitReaderPlugin.dll) for the Firefox web browser under Windows causes a memory leak that can potentially be exploited for injecting and executing code via specially crafted web pages. The flaw was discovered in version 3.1.1.0928 and has also been confirmed to exist in the current version 3.1.2.1013 of Foxit Reader (with Firefox 3.5.3 ). A similar bug that affected the loading of objects was recently fixed in Adobe Reader. So far, no updates have been made available for Foxit Reader.

Developers have also released a patch for the free Xpdf PDF reader that fixes four security problems in version 3.02. Exploits for a buffer overflow and a null pointer dereference hole are already in circulation. Problems in Xpdf usually cause a whole string of vulnerabilities in other applications that are based on its code, for example poppler, CUPS , Gpdf and KPDF.

In CUPS, the holes were reportedly closed in the official version 1.4.1. Currently, no official updates have been released for KPDF, poppler or gpdf. However, Linux distributor Red Hat has already released new packages for these applications, and other distributors are likely to follow soon. As always, users are advised to treat unsolicited PDF documents with caution and open them in an alternative PDF reader until the relevant updates have become available.

 

[n0cmonkey]

PDFs are horrible horrible beasts. I wish there was a PDF-light standard that wasn't so bloated.

 

[mechBgon]

As always, users are advised to treat unsolicited PDF documents with caution, open them in an alternative PDF reader until the relevant updates have become available, and never run their PDF reader or web browser as root/Admin.

Improved :evil: What is it with these security pundits who treat LUA as a taboo subject, anyway?

 

[VirtualLarry]

I stick with Adobe Reader 5.1 with Search. That version doesn't have any known vulns, and it predates the reader versions that allow embedded any sort of media or COM object into them.

Unfortunately, it also doesn't read 100% of the PDFs out there.

 

[mechBgon]

Originally posted by: VirtualLarry
I stick with Adobe Reader 5.1 with Search. That version doesn't have any known vulns

I took a quick look at Secunia's site, and it certainly does have vulns. "Highly Critical" vulns.

Solution:
Install updated version.

Adobe Reader (Windows or Mac OS):
Update to version 7.0.3 or 6.0.4.

Although I would update directly to 9.2, since I believe 7.x is EOL and has vulns galore.

 

[Gamingphreek]

Originally posted by: mechBgon

As always, users are advised to treat unsolicited PDF documents with caution, open them in an alternative PDF reader until the relevant updates have become available, and never run their PDF reader or web browser as root/Admin.

Improved :evil: What is it with these security pundits who treat LUA as a taboo subject, anyway?

Also a bigger question, why in the world would anyone ever run their browser or pdf reader as root?

-Kevin

 

[SecPro]

Originally posted by: Gamingphreek

Originally posted by: mechBgon

As always, users are advised to treat unsolicited PDF documents with caution, open them in an alternative PDF reader until the relevant updates have become available, and never run their PDF reader or web browser as root/Admin.

Improved :evil: What is it with these security pundits who treat LUA as a taboo subject, anyway?

Also a bigger question, why in the world would anyone ever run their browser or pdf reader as root?

-Kevin

There are a myriad of reasons. People don't know any better or in enterprise environments it's easier for desktop support to make someone a local admin. than it is to actually figure out what the problem is. I am constantly on the CIO's ass about how many admins there are on our network. Some are legit needs, most are not.

 

[Gamingphreek]

Originally posted by: SecPro

Originally posted by: Gamingphreek

Originally posted by: mechBgon

As always, users are advised to treat unsolicited PDF documents with caution, open them in an alternative PDF reader until the relevant updates have become available, and never run their PDF reader or web browser as root/Admin.

Improved :evil: What is it with these security pundits who treat LUA as a taboo subject, anyway?

Also a bigger question, why in the world would anyone ever run their browser or pdf reader as root?

-Kevin

There are a myriad of reasons. People don't know any better or in enterprise environments it's easier for desktop support to make someone a local admin. than it is to actually figure out what the problem is. I am constantly on the CIO's ass about how many admins there are on our network. Some are legit needs, most are not.

Even still, local admin is different than the root user on a *nix based machine. Logging in as root or using the sudo command to open a pdf is fishy in and of its own right in my mind.

-Kevin

 

[mechBgon]

Originally posted by: Gamingphreek

Originally posted by: mechBgon

As always, users are advised to treat unsolicited PDF documents with caution, open them in an alternative PDF reader until the relevant updates have become available, and never run their PDF reader or web browser as root/Admin.

Improved :evil: What is it with these security pundits who treat LUA as a taboo subject, anyway?

Also a bigger question, why in the world would anyone ever run their browser or pdf reader as root?

-Kevin

Sorry, I'm trying not to be Windows-centric in my terminology, that's all

 

[Gamingphreek]

Originally posted by: mechBgon

Originally posted by: Gamingphreek

Originally posted by: mechBgon

As always, users are advised to treat unsolicited PDF documents with caution, open them in an alternative PDF reader until the relevant updates have become available, and never run their PDF reader or web browser as root/Admin.

Improved :evil: What is it with these security pundits who treat LUA as a taboo subject, anyway?

Also a bigger question, why in the world would anyone ever run their browser or pdf reader as root?

-Kevin

Sorry, I'm trying not to be Windows-centric in my terminology, that's all

Haha - gotcha

Ugh and once again the security vulnerabilities in the world have the user at the root of the problem

 

[n0cmonkey]

Originally posted by: Gamingphreek
Ugh and once again the security vulnerabilities in the world have the user at the root of the problem

I see the pdf problems in a number of ways, including the typical "stupid user opened a bad pdf as admin" response.

But I've also seen some "GOOD" bad pdfs. Ones where I had to pick my jaw up off the floor and admit to myself that I would have opened it.

Now, I haven't looked into these flaws very much (lazy monkey!) so I'm not sure if the following will apply to these specific thoughts.

Some of the flaws in adobe/word/everything don't require admin/root/santa claus to do damage, but they do need it to thoroughly fubar a system.

Now, what's the most important thing to most users on their computers? Their documents, whatever they may be. Users have ownership over these documents, so they do not need to worry about permission issues. If there was a malicious document sent to that user that did not try to really backdoor the system, but only to siphon documents off the system (think industrial espionage) admin privs shouldn't be necessary.

You shouldn't have to install anything to protected places on the system. EXEs run from anywhere. And it doesn't have to be complicated, just a quick HTTP(s) push to a willing participant (use the IE bits available to programmers to do it to make things easier).

You could make it more complicated by trying to infect frequently accessed documents to make it more resilient (to reboots and whatnot), but it isn't necessary.

Anyhow, in this case the user has pretty much NO protection from the bad. There's just an overly complicated standard that would make it difficult to argue that my refrigerator isn't PDF compliant (I'd quote this, but I forgot who I heard it from).

 

[mechBgon]

EXEs run from anywhere.

You put your finger on a significant problem. On Windows (other than "Home" versions), Software Restriction Policy can defend against that, since it will prevent EXEs from running anywhere that the user can save one to: disallowed-by-default SRP setup. There are some caveats and can be some headaches, but if Reader were exploited to download a file to disk and attempted to launch it, this would arbitrarily stop it.

 

[n0cmonkey]

Originally posted by: mechBgon

EXEs run from anywhere.

You put your finger on a significant problem. On Windows (other than "Home" versions), Software Restriction Policy can defend against that, since it will prevent EXEs from running anywhere that the user can save one to: disallowed-by-default SRP setup. There are some caveats and can be some headaches, but if Reader were exploited to download a file to disk and attempted to launch it, this would arbitrarily stop it.

Nice! Seems silly that this isn't available in Home versions. Seems pretty useful.

EDIT: It's also neat how you took my ramble, siphoned out the important part, and posted a solution.