Welcome to WebmasterWorld Guest from 107.20.36.1

Forum Moderators: travelin cat

Message Too Old, No Replies

Malicious PDFs roaming (even Macs)

Adobe Reader and Acrobat patches are now available

     
5:12 pm on Jan 14, 2010 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member

joined:Jan 22, 2005
posts:1152
votes: 4


Our friends at SANS have the details here.
[isc.sans.org...]

Yeah, even Mac people need to be aware of this. I just finished my patch into Snow Leopard and it was easy.

If you really want to get into it:
[isc.sans.org...]

It appears that the initial attack vector on Google (and 20+ other companies!) was probably a malicious PDF document.
6:32 pm on Jan 14, 2010 (gmt 0)

Senior Member from LK 

WebmasterWorld Senior Member 10+ Year Member Top Contributors Of The Month

joined:Nov 16, 2005
posts:2417
votes: 17


Do many Mac users use Acrobat reader rather than the default MacOS X one?

It seems, yet again, the lesson is to avoid Acrobat.

6:52 pm on Jan 14, 2010 (gmt 0)

Preferred Member

10+ Year Member

joined:Dec 12, 2004
posts:608
votes: 1


I'm using default one (Preview).
6:59 pm on Jan 14, 2010 (gmt 0)

Administrator from US 

WebmasterWorld Administrator incredibill is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Jan 25, 2005
posts:14624
votes: 88



the UPDATE.CAB file drops another executable that injects a DLL into Internet Explorer

It seems, yet again, the lesson is to avoid Acrobat.

No, the lesson is and always has been:

1. Don't open files from unknown senders
2. Beware files on untrusted sites
3. Disable javascript except on whitelisted sites
4. Avoid Internet Explorer as much as possible

7:54 pm on Jan 14, 2010 (gmt 0)

Preferred Member

10+ Year Member Top Contributors Of The Month

joined:Mar 12, 2004
posts:481
votes: 12


There's a thing to disable Javascript in PDF readers (I've never figured out why it would be useful to have javascript in something that is essentially a printer friendly format).

Please someone mention how to do it - I've forgotten, and it's not disabled as default.

8:25 pm on Jan 14, 2010 (gmt 0)

Moderator from US 

WebmasterWorld Administrator robert_charlton is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Nov 11, 2000
posts:11314
votes: 165


If you do update your current Adobe Reader, be aware that on the Adobe Reader download page, the additional download of McAfee Security Scan is on by default.

Be sure to uncheck that box if you don't want McAfee to self-install. Shame on Adobe for setting it up this way.

8:36 pm on Jan 14, 2010 (gmt 0)

Senior Member

WebmasterWorld Senior Member dreamcatcher is a WebmasterWorld Top Contributor of All Time 10+ Year Member

joined:Mar 30, 2003
posts:3719
votes: 0


Haven`t used Adobe Reader for years. I`ll let a few friends know though.

dc

8:59 pm on Jan 14, 2010 (gmt 0)

Moderator This Forum from US 

WebmasterWorld Administrator travelin_cat is a WebmasterWorld Top Contributor of All Time 10+ Year Member

joined:Feb 28, 2004
posts:3115
votes: 2


For those Mac users that have Acrobat Pro, here is a tip to force all .pdf files to open with it rather then either Preview or Acrobat Reader:

Control click on any .pdf file
Choose "Open With"
Scroll to the bottom of the list and choose "Other..."
Click on the check box in the bottom of the window that says "Always Open With"
Navigate to your Application folder and click on Adobe Acrobat Professional.

From this point on, every .pdf file will be opened with Acrobat Pro

9:03 pm on Jan 14, 2010 (gmt 0)

Moderator This Forum from US 

WebmasterWorld Administrator travelin_cat is a WebmasterWorld Top Contributor of All Time 10+ Year Member

joined:Feb 28, 2004
posts:3115
votes: 2


vordmeister,

To disable JavaScript:

File -> Preferences
Under Categories, click on JavaScript
To the right, uncheck the box next to "Enable Acrobat JavaScript"

9:21 pm on Jan 14, 2010 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member

joined:Feb 21, 2005
posts:2259
votes: 0


It seems it's only an Adobe problem and doesn't affect Foxit users. This is probably a good time to make the switch.
9:29 pm on Jan 14, 2010 (gmt 0)

Full Member

5+ Year Member

joined:Jan 17, 2007
posts:306
votes: 0


The PDFs of today are essentially no different from years ago, so why has the reader gotten so damn bloated? I install ONE Adobe product, and suddenly my programs menu has 5-6 other apps I never asked for.

Adobe makes industry standard software in many design/publishing areas. I wonder how much longer they can ride that wave before people scream and holler for an alternative and possibly settle for a lesser product just to get away from them.

10:12 pm on Jan 14, 2010 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member

joined:Aug 1, 2003
posts:815
votes: 0


I searched my disk on my MacBook and was surprised to see Adobe Reader. I don't think I downloaded it deliberately. It had never been launched. Deleted it.

There are some PDF's out there that have nifty interactive forms, that put JavaScript to good use. Adobe competes with Word forms that way. But Preview is enough for me.

10:50 pm on Jan 14, 2010 (gmt 0)

Senior Member

WebmasterWorld Senior Member jomaxx is a WebmasterWorld Top Contributor of All Time 10+ Year Member

joined:Nov 6, 2002
posts:4768
votes: 0


I second the motion to disable Javascript. I did this last summer when I got stung by a bug, and that has helped me avoid several scares since. My gut tells me there are lots more vulnerabilities that will only be patched after exploits are already in the wild.

This is 100% on Adobe, who released a shoddy and insecure Javascript engine where no normal person would want or expect it to exist anyway. Their entire reader is a sad joke that a decade later still brings my computer to a crawl when I have to load a .PDF document, but that's another thread.

12:00 am on Jan 15, 2010 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member

joined:Mar 23, 2002
posts:659
votes: 0


Who still uses Internet Explorer and Adobe Reader? That's so 1999.
9:13 am on Jan 15, 2010 (gmt 0)

Administrator from GB 

WebmasterWorld Administrator engine is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month Best Post Of The Month

joined:May 9, 2000
posts:22301
votes: 238


Besides the fact that Adobe Reader is hugely bloated, please don't miss the point that these compromised PDFs are the problem, and, we don't know how it might sit on your system until accidentally opened or sent on to someone else.

Good advice from incrediBILL, thanks.

11:30 am on Jan 15, 2010 (gmt 0)

Senior Member from LK 

WebmasterWorld Senior Member 10+ Year Member Top Contributors Of The Month

joined:Nov 16, 2005
posts:2417
votes: 17



1. Don't open files from unknown senders
2. Beware files on untrusted sites
3. Disable javascript except on whitelisted sites
4. Avoid Internet Explorer as much as possible

I agree, but Acrobat seems to be to PDF, what IE is to HTML.

After all, every time we visit an untrusted site, our web browsers are opening files from it, and we expect
then to be secure.

(I've never figured out why it would be useful to have javascript in something that is essentially a printer friendly format).

Forms.

Some of the other readers are implementing Javascript because otherwise they cannot replace Acrobat Reader in some environments.

7:36 pm on Jan 15, 2010 (gmt 0)

Senior Member

WebmasterWorld Senior Member jomaxx is a WebmasterWorld Top Contributor of All Time 10+ Year Member

joined:Nov 6, 2002
posts:4768
votes: 0


That just begs the question of why PDF documents need the ability to submit forms in the first place. Or why the forms need to be validated by Javascript, which is a process easily circumvented anyway.

But anyway, it's in there and it'll be years before most people have updated to a more secure release.

10:01 pm on Jan 15, 2010 (gmt 0)

Administrator from US 

WebmasterWorld Administrator incredibill is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Jan 25, 2005
posts:14624
votes: 88


After all, every time we visit an untrusted site, our web browsers are opening files from it, and we expect
then to be secure.

No, I never expect an untrusted site to be secure, that's why it's called UNTRUSTED.

Considering the large quantity of hacked sites on shared services, approaching them as anything but potentially hostile is a bad idea.

That's why many of us surf with javascript and other features disabled unless it's whitelisted.

The internet is no different than the real world, you never know what kind of neighborhood you're in until you get car jacked (or worse) and by then it's too late so be careful.