If this is your first visit, be sure to check out the FAQ by clicking the link above. You may have to register before you can post: click the register link above to proceed. To start viewing messages, select the forum that you want to visit from the selection below. |
|
|
Thread Tools | Display Modes |
#1
|
|||
|
|||
WARNING - PDF exploits - Adobe and Foxit [and others] readers
This particular style of exploit has been around for quite sometime in various forms. I have previously to advise of this style of attack. Yet another party has posted the methodology and provided example coding. Specially and EASILY crafted PDFs can be created to include calls to external applications which are not blocked by JAVA or other restrictions, yet can be run, forcing other unwanted activities [such as opening IE or running commands] or exploiting other vulnerabilities within other applications. This type of exploit can be used in conjunction with other exploits, compounding the potential malicious usage. These exploits can be modified to work within any OS, though system restrictions and other security may mitigate some of the potential exploits. Adobe Reader and Foxit Reader are vulnerable to this style of exploit, as may others. Foxit appears to be more exploitable than Adobe to this particular issue. Sumatra is apparently immune or doesn't support this type of exploit, and others may be as well. Metasploit and several other have provided other or additional styles of this type of exploit. REFERENCES/EXAMPLES: http://blog.didierstevens.com/2010/0...cape-from-pdf/ take particular note of the comment section for indications of how easy the coding and modifications are. http://www.metasploit.com/ -- MEB http://peoplescounsel.org/ref/windows-main.htm Windows Info, Diagnostics, Security, Networking http://peoplescounsel.org The "real world" of Law, Justice, and Government ___--- |
#2
|
|||
|
|||
WARNING - PDF exploits - Adobe and Foxit [and others] readers
MEB wrote in
: SNIP Thanks for the info. I have never gotten around to removing AR 5 from my machine, even though I use the Fox reader for everything. Occasionally, on stupid sites which give you no choice, instead of DL'g, the damn PDF opens in the Opera browser windows using AR, not Fox. I would like NOTHING to ever open, and "hack the DL" if I have to. Do you know where the setting might be to remove the AR opening automatically? I suppose I could just remove AR, but then Opera it would probably find Fox and default to that, which is no good either. I hope you can make sense of what I just wrote. Thanks. t. |
#3
|
|||
|
|||
WARNING - PDF exploits - Adobe and Foxit [and others] readers
FoxitReader has a new update.
|
#4
|
|||
|
|||
WARNING - PDF exploits - Adobe and Foxit [and others] readers
FoxitReader has a new update.
|
#5
|
|||
|
|||
WARNING - PDF exploits - Adobe and Foxit [and others] readers
On 04/03/2010 04:51 PM, Dan wrote:
FoxitReader has a new update. Does it supposedly deal with these issues? -- MEB http://peoplescounsel.org/ref/windows-main.htm Windows Info, Diagnostics, Security, Networking http://peoplescounsel.org The "real world" of Law, Justice, and Government ___--- |
#6
|
|||
|
|||
WARNING - PDF exploits - Adobe and Foxit [and others] readers
On 04/03/2010 04:51 PM, Dan wrote:
FoxitReader has a new update. Does it supposedly deal with these issues? -- MEB http://peoplescounsel.org/ref/windows-main.htm Windows Info, Diagnostics, Security, Networking http://peoplescounsel.org The "real world" of Law, Justice, and Government ___--- |
#7
|
|||
|
|||
WARNING - PDF exploits - Adobe and Foxit [and others] readers
MEB wrote:
This particular style of exploit has been around for quite sometime in various forms. I have previously to advise of this style of attack. Yet another party has posted the methodology and provided example coding. Specially and EASILY crafted PDFs can be created to include calls to external applications which are not blocked by JAVA or other restrictions, yet can be run, forcing other unwanted activities [such as opening IE or running commands] or exploiting other vulnerabilities within other applications. This type of exploit can be used in conjunction with other exploits, compounding the potential malicious usage. These exploits can be modified to work within any OS, though system restrictions and other security may mitigate some of the potential exploits. Adobe Reader and Foxit Reader are vulnerable to this style of exploit, as may others. Foxit appears to be more exploitable than Adobe to this particular issue. Sumatra is apparently immune or doesn't support this type of exploit, and others may be as well. Metasploit and several other have provided other or additional styles of this type of exploit. REFERENCES/EXAMPLES: http://blog.didierstevens.com/2010/0...cape-from-pdf/ take particular note of the comment section for indications of how easy the coding and modifications are. http://www.metasploit.com/ Dan wrote: FoxitReader has a new update. MEB wrote: Does it supposedly deal with these issues? You did not quote the issues you refer to in your response. I have put that part back (above.) You can easily check for yourself, as can anyone else. Foxit Software has a security page he http://www.foxitsoftware.com/pdf/reader/security.htm Now that you can see the security page for Foxit Software and what patches they have released and for what reasons those patches were released and the referenced 'these issues' - do the updates deal with what you reported on April 1, 2010? -- Shenan Stanley MS-MVP -- How To Ask Questions The Smart Way http://www.catb.org/~esr/faqs/smart-questions.html |
#8
|
|||
|
|||
WARNING - PDF exploits - Adobe and Foxit [and others] readers
MEB wrote:
This particular style of exploit has been around for quite sometime in various forms. I have previously to advise of this style of attack. Yet another party has posted the methodology and provided example coding. Specially and EASILY crafted PDFs can be created to include calls to external applications which are not blocked by JAVA or other restrictions, yet can be run, forcing other unwanted activities [such as opening IE or running commands] or exploiting other vulnerabilities within other applications. This type of exploit can be used in conjunction with other exploits, compounding the potential malicious usage. These exploits can be modified to work within any OS, though system restrictions and other security may mitigate some of the potential exploits. Adobe Reader and Foxit Reader are vulnerable to this style of exploit, as may others. Foxit appears to be more exploitable than Adobe to this particular issue. Sumatra is apparently immune or doesn't support this type of exploit, and others may be as well. Metasploit and several other have provided other or additional styles of this type of exploit. REFERENCES/EXAMPLES: http://blog.didierstevens.com/2010/0...cape-from-pdf/ take particular note of the comment section for indications of how easy the coding and modifications are. http://www.metasploit.com/ Dan wrote: FoxitReader has a new update. MEB wrote: Does it supposedly deal with these issues? You did not quote the issues you refer to in your response. I have put that part back (above.) You can easily check for yourself, as can anyone else. Foxit Software has a security page he http://www.foxitsoftware.com/pdf/reader/security.htm Now that you can see the security page for Foxit Software and what patches they have released and for what reasons those patches were released and the referenced 'these issues' - do the updates deal with what you reported on April 1, 2010? -- Shenan Stanley MS-MVP -- How To Ask Questions The Smart Way http://www.catb.org/~esr/faqs/smart-questions.html |
#9
|
|||
|
|||
WARNING - PDF exploits - Adobe and Foxit [and others] readers
On 04/01/2010 06:16 PM, thanatoid wrote:
MEB wrote in : SNIP Thanks for the info. I have never gotten around to removing AR 5 from my machine, even though I use the Fox reader for everything. Occasionally, on stupid sites which give you no choice, instead of DL'g, the "darn" PDF opens in the Opera browser windows using AR, not Fox. I would like NOTHING to ever open, and "hack the DL" if I have to. Do you know where the setting might be to remove the AR opening automatically? I suppose I could just remove AR, but then Opera it would probably find Fox and default to that, which is no good either. I hope you can make sense of what I just wrote. Thanks. t. Had to change one of your words - didn't make it to MS servers... Hmm, not sure for AR5 but AR6 is/was [or was this just for developers editions?]: [HKEY_CURRENT_USER\Software\Adobe\Adobe Acrobat\6.0\Originals] "bBrowserIntegration"=dword:00000000 However that would leave some files that MAY still cause issues. How about this/these [note they refer to XP removals but you should be able to figure out the 9X folders being referenced, OR just do a "find" for the file names]: http://www.instant-registry-fixes.or...dobe-products/ Note the *.ocx files [ActiveX controls] and the dlls... http://www.ehow.com/how_4925573_remo...be-reader.html http://www.adobetutorialz.com/articl...bat-Reader-505 You can or should be able to "disable" the *.ocx "helpers" by going to the folder and right clicking [IIRC]. -- MEB http://peoplescounsel.org |
#10
|
|||
|
|||
WARNING - PDF exploits - Adobe and Foxit [and others] readers
"MEB.peoplescounsel" wrote
in : SNIP http://www.adobetutorialz.com/articl...emoving-Acroba t-Reader-505 You can or should be able to "disable" the *.ocx "helpers" by going to the folder and right clicking [IIRC]. Thanks very much. Cheers. |
Thread Tools | |
Display Modes | |
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
PDF exploits shown in this comparison as exceeding Flash based | MEB[_17_] | General | 73 | February 26th 10 03:18 AM |
New Adobe Reader Zero Day Exploits - New FireFox exploits | MEB[_16_] | General | 28 | May 5th 09 12:29 AM |
Foxit 2.3 PDF Reader Doesn't Work with 98 | foo | General | 2 | May 15th 08 09:23 PM |
Question for Mike M, Foxit | Justin Thyme | General | 3 | January 8th 07 10:13 PM |
Spybot and DSO Exploits | Alias | General | 2 | September 7th 04 04:03 PM |