Problems? See this thread at archive.org.)
http://news.techworld.com/security/...ble-to-hackers/?cmpid=TD1N2&no1x1#fbPermalink
Foxit PDF reader vulnerable to hackers
Infected PDFs feed users malware
By Gregg Keizer | Computerworld US
Published: 10:20 GMT, 07 April 10
Reacting to a demonstration that showed how attackers could force-feed malware to users without exploiting an actual vulnerability, Foxit Software patched its PDF viewer last week. But the Belgian researcher who showed how hackers could run executable code on a Windows PC from a malformed PDF said today that Foxit's fix didn't protect users from his attack tactics.
The April 1 update to Foxit Reader, a popular alternative to Adobe's own Reader, adds a warning that pops up when a PDF tries to launch an executable, a function that's permitted by the PDF specification. The change makes Foxit Reader behave similarly to Adobe Reader, which already sports such a warning.
"Foxit adds prompts to all popups within PDFs," said Christina Wu of Foxit. "For example, if there is a .txt or .exe file [that] is going to open within a PDF, the old version of Reader will launch the file by calling the associated program from your system, without any inquiry. [The update] will detect it and launch a prompt to ask you if you want to execute it or not."
Adobe patches PDF vulnerabilities | Adobe PDF Reader users targetted in phishing scam | Google China hackers used IE zero-day, not PDF
Didier Stevens, the researcher who last week demonstrated a multi-stage attack using the /Launch function, said that his proof-of-concept code, which he has not released to the public, still works when pitted against the updated Foxit Reader.
"The interesting thing about this fix is that it breaks my Foxit [proof-of-concept, or PoC], but... the Adobe PoC works for Foxit now," said Stevens in an entry on his blog today. Previously, Stevens was forced to come up with a separate workaround to successfully attack Foxit with a malformed PDF.
Stevens' technique doesn't require an underlying vulnerability in either Adobe Reader or Foxit Reader; all attackers need to do is dupe users into opening a malicious PDF. And last week, Stevens said that although Adobe Reader displays a warning when an executable inside a PDF file is launched, he had found a way to partially modify Adobe's warning to encourage a potential victim to allow the launch action.
While that kind of social engineering-based attack is nothing new, until now hackers needed an exploit of an unpatched software vulnerability to pull off a successful attack delivered via PDFs. In other words, a Windows PC that has a fully-patched, up-to-date copy of Adobe Reader or Foxit Reader can be exploited via rogue PDFs using Stevens' strategy.
-
-
-
-
The PDF 'vulnerability' in Adobe Reader and Foxit reader (vulnerability between brackets because it's actually really only the feature to run executables which is being exploited) can lead to embedded malware, as Tinderbox has pointed out in the TS.
Security outfit SophosLabs has an example on this Sophos blog page.
The standard PDF reader function to run executables, is used to infect the user with an embedded trojan.
Just downloading such a PDF will not infect your computer but if you open the PDF with Adobe Reader or Foxit reader, you will be presented with a fake message.
The message itself will normally warn you about running an executable (in this case the trojan) but because the malware writers change a part of the message (in blue), it will/can read something like this;
![[IMG]](images/storyImages/fiel.jpg)
Ofcourse, the PDF is not damaged at all, it's only got a trojan inside...
The message in blue is fake.(obviously; fiel?)
But if you would click Open, then the trojan will be installed.
Make sure you understand that Adobe Reader and Foxit Reader both have these options to run executables as a standard feature.
On this Adobe blog page, it's explained how you can prevent running embedded executables in a PDF, using the Adobe Reader Trust Manager.
You only have to change one default setting so make sure to uncheck the appropriate box as shown on the blog page.
Foxit Reader doesn't offer this option (yet), I've asked through their forum for a similar option as in Adobe Trust Manager but sofar there is no news about it. -
The .pdf format has neevr been very secure, so this doesn't surprise me. Still, Foxit is usually MUCH more secure than Adobe, for obvious reasons. Just be careful what websites you go to and what you open.
-
Most people use Adobe, so any exploits tend to target that program.
-
Well from past experiences and hacks, Adobe is *almost* always the one getting targeted, so that's why I said it.
In never claimed it was because Adobe wasn't actually written as well as Foxit or anything.
-
Good point.
Foxit PDF reader vulnerable to hackers
Discussion in 'Security and Anti-Virus Software' started by Tinderbox (UK), Apr 8, 2010.
