homepage Welcome to WebmasterWorld Guest from 174.129.103.100
register, free tools, login, search, pro membership, help, library, announcements, recent posts, open posts,
Become a Pro Member

Visit PubCon.com
Home / Forums Index / WebmasterWorld / The Macintosh Webmaster
Forum Library, Charter, Moderators: travelin cat

The Macintosh Webmaster Forum

    
Malicious PDFs roaming (even Macs)
Adobe Reader and Acrobat patches are now available
weeks




msg:4060780
 5:12 pm on Jan 14, 2010 (gmt 0)

Our friends at SANS have the details here.
[isc.sans.org...]

Yeah, even Mac people need to be aware of this. I just finished my patch into Snow Leopard and it was easy.

If you really want to get into it:
[isc.sans.org...]
It appears that the initial attack vector on Google (and 20+ other companies!) was probably a malicious PDF document.

 

graeme_p




msg:4060843
 6:32 pm on Jan 14, 2010 (gmt 0)

Do many Mac users use Acrobat reader rather than the default MacOS X one?

It seems, yet again, the lesson is to avoid Acrobat.

levo




msg:4060867
 6:52 pm on Jan 14, 2010 (gmt 0)

I'm using default one (Preview).

incrediBILL




msg:4060872
 6:59 pm on Jan 14, 2010 (gmt 0)


the UPDATE.CAB file drops another executable that injects a DLL into Internet Explorer

It seems, yet again, the lesson is to avoid Acrobat.

No, the lesson is and always has been:

1. Don't open files from unknown senders
2. Beware files on untrusted sites
3. Disable javascript except on whitelisted sites
4. Avoid Internet Explorer as much as possible

vordmeister




msg:4060920
 7:54 pm on Jan 14, 2010 (gmt 0)

There's a thing to disable Javascript in PDF readers (I've never figured out why it would be useful to have javascript in something that is essentially a printer friendly format).

Please someone mention how to do it - I've forgotten, and it's not disabled as default.

Robert Charlton




msg:4060931
 8:25 pm on Jan 14, 2010 (gmt 0)

If you do update your current Adobe Reader, be aware that on the Adobe Reader download page, the additional download of McAfee Security Scan is on by default.

Be sure to uncheck that box if you don't want McAfee to self-install. Shame on Adobe for setting it up this way.

dreamcatcher




msg:4060943
 8:36 pm on Jan 14, 2010 (gmt 0)

Haven`t used Adobe Reader for years. I`ll let a few friends know though.

dc

travelin cat




msg:4060961
 8:59 pm on Jan 14, 2010 (gmt 0)

For those Mac users that have Acrobat Pro, here is a tip to force all .pdf files to open with it rather then either Preview or Acrobat Reader:

Control click on any .pdf file
Choose "Open With"
Scroll to the bottom of the list and choose "Other..."
Click on the check box in the bottom of the window that says "Always Open With"
Navigate to your Application folder and click on Adobe Acrobat Professional.

From this point on, every .pdf file will be opened with Acrobat Pro

travelin cat




msg:4060967
 9:03 pm on Jan 14, 2010 (gmt 0)

vordmeister,

To disable JavaScript:

File -> Preferences
Under Categories, click on JavaScript
To the right, uncheck the box next to "Enable Acrobat JavaScript"

oddsod




msg:4060984
 9:21 pm on Jan 14, 2010 (gmt 0)

It seems it's only an Adobe problem and doesn't affect Foxit users. This is probably a good time to make the switch.

sgietz




msg:4060994
 9:29 pm on Jan 14, 2010 (gmt 0)

The PDFs of today are essentially no different from years ago, so why has the reader gotten so damn bloated? I install ONE Adobe product, and suddenly my programs menu has 5-6 other apps I never asked for.

Adobe makes industry standard software in many design/publishing areas. I wonder how much longer they can ride that wave before people scream and holler for an alternative and possibly settle for a lesser product just to get away from them.

timster




msg:4061018
 10:12 pm on Jan 14, 2010 (gmt 0)

I searched my disk on my MacBook and was surprised to see Adobe Reader. I don't think I downloaded it deliberately. It had never been launched. Deleted it.

There are some PDF's out there that have nifty interactive forms, that put JavaScript to good use. Adobe competes with Word forms that way. But Preview is enough for me.

jomaxx




msg:4061048
 10:50 pm on Jan 14, 2010 (gmt 0)

I second the motion to disable Javascript. I did this last summer when I got stung by a bug, and that has helped me avoid several scares since. My gut tells me there are lots more vulnerabilities that will only be patched after exploits are already in the wild.

This is 100% on Adobe, who released a shoddy and insecure Javascript engine where no normal person would want or expect it to exist anyway. Their entire reader is a sad joke that a decade later still brings my computer to a crawl when I have to load a .PDF document, but that's another thread.

frontpage




msg:4061079
 12:00 am on Jan 15, 2010 (gmt 0)

Who still uses Internet Explorer and Adobe Reader? That's so 1999.

engine




msg:4061250
 9:13 am on Jan 15, 2010 (gmt 0)

Besides the fact that Adobe Reader is hugely bloated, please don't miss the point that these compromised PDFs are the problem, and, we don't know how it might sit on your system until accidentally opened or sent on to someone else.

Good advice from incrediBILL, thanks.

graeme_p




msg:4061293
 11:30 am on Jan 15, 2010 (gmt 0)


1. Don't open files from unknown senders
2. Beware files on untrusted sites
3. Disable javascript except on whitelisted sites
4. Avoid Internet Explorer as much as possible

I agree, but Acrobat seems to be to PDF, what IE is to HTML.

After all, every time we visit an untrusted site, our web browsers are opening files from it, and we expect
then to be secure.

(I've never figured out why it would be useful to have javascript in something that is essentially a printer friendly format).

Forms.

Some of the other readers are implementing Javascript because otherwise they cannot replace Acrobat Reader in some environments.

jomaxx




msg:4061602
 7:36 pm on Jan 15, 2010 (gmt 0)

That just begs the question of why PDF documents need the ability to submit forms in the first place. Or why the forms need to be validated by Javascript, which is a process easily circumvented anyway.

But anyway, it's in there and it'll be years before most people have updated to a more secure release.

incrediBILL




msg:4061698
 10:01 pm on Jan 15, 2010 (gmt 0)

After all, every time we visit an untrusted site, our web browsers are opening files from it, and we expect
then to be secure.

No, I never expect an untrusted site to be secure, that's why it's called UNTRUSTED.

Considering the large quantity of hacked sites on shared services, approaching them as anything but potentially hostile is a bad idea.

That's why many of us surf with javascript and other features disabled unless it's whitelisted.

The internet is no different than the real world, you never know what kind of neighborhood you're in until you get car jacked (or worse) and by then it's too late so be careful.

Global Options:
 top home search open messages active posts  
 

Home / Forums Index / WebmasterWorld / The Macintosh Webmaster
rss feed

All trademarks and copyrights held by respective owners. Member comments are owned by the poster.
Home ¦ Free Tools ¦ Terms of Service ¦ Privacy Policy ¦ Report Problem ¦ About ¦ Library ¦ Newsletter
WebmasterWorld is a Developer Shed Community owned by Jim Boykin.
© Webmaster World 1996-2014 all rights reserved