Report: Malicious PDF files comprised 80 percent of all exploits for 4th quarter 2009

http://blogs.zdnet.com/security/?p=5473

 

This article is a little confusing. The title says Report: Malicious PDF files comprised 80 percent of all exploits for 2009. But the article says "A newly released report shows that based on more than a trillion Web requests processed in 2009, the use of malicious PDF files exploiting flaws in Adobe Reader/Adobe Acrobat not only outpaced the use of Flash exploits, but also, grew to 80% of all exploits the company encountered throughout the year."

The "report" highlighted in red above was, appropriately, a direct pdf link to the report cited.

 

Interesting article, MrBrian!

Others have also noted the trend towards exploiting Adobe:

2010 Predictions
http://www.avertlabs.com/research/b...of-a-major-social-networking-security-breach/

From the zdnet blog:

This, of course, applies to other software:

https://www.bluecoat.com/blog/look-google-hack-aka-aurora-attack

From the zdnet blog:

I divided this into two questions. You can replace "Adobe" with "Microsoft" and arrive at the same answers.

For [1] the answer depends on your perspective. If you accept the premise that any set of code has the potential to be exploited, then no one product is any more or less insecure than another. One of the reader comments at the end of the blog stated, "Use Foxit." However, Foxit has been targeted:

​

So, Foxit is neither more nor less secure than Adobe, but because of Adobe's market share, its Reader is targeted more than Foxit's, reinforcing one of the points of the zdnet blog.

For [2] the answer surely is Yes. And here, we reach an interesting dilemma: using the latest version prevents exploitation, yet there have been instances where Adobe's (and Microsoft's) update has been delayed, exposing millions to the possibility of infection.

However, just because Adobe issues one doesn't mean that everyone automatically updates. This of course, is not specific to Adobe users, because the vulnerability in Windows that the Conficker worm exploited had been patched for two months prior to the emergence of said worm in the wild.

On the other hand, if you follow these PDF exploits, you realize that they all have the same goal: to install a trojan executable.

PDF Babushka
2010-01-14
http://isc.sans.org/diary.html?storyid=7984

Unfortunately, the many solutions available for specific prevention of such an exploit (installation of a trojan downloader by remote code execution) remain in the domain of the niche group of people who frequent security forums.

​

Cybercriminals could care less about discussions of HIPS or execution protection security, since they know only a small minority of computer users have such protection.

And so it goes...

----
rich

 

Hey, I actually just joined this forum in regard to this issue. I'm no security expert, but I was thinking this morning, it would be great if somebody could do a test on the major PDF readers out there and see which one's are more secure. If I understand correctly, some of the more basic PDF readers out there do not include javascript functionality, so they would be more secure.

So, does anybody out there who has a linux machine, running windows inside a vhd, want to test this out? I don't have the ability to right now, but yeah, if somebody wanted to it would make a great experiment:

- Basically, set up a clean install of windows in the VM, with basic security software (to detect an infection).

- Download the various PDF readers out there (Adobe, FoxIT, Sumatra, etc.) and test each of them using known malicious PDF files.

- Find out which one's are the safest.

- Post the results here.

 

Testing and Patching

Not all of the exploits against the Acrobat Reader required Javascript:

Adobe Acrobat pdf 0-day exploit, No JavaScript needed!
http://isc.sans.org/diary.html?storyid=5926

Why turning off Javascript won't help this time
http://blog.fireeye.com/research/2009/07/actionscript_heap_spray.html

YA0D (Yet Another 0-Day) in Adobe Flash player
http://isc.sans.org/diary.html?storyid=6847

Foxit is one of the other Readers that includes Javascript:

A Very Brief History of Foxit Reader and JavaScript
http://blog.didierstevens.com/category/vulnerabilities/

That test would be inconclusive, in that it would just demonstrate that known exploits won't work on the latest versions of the Readers, or on a particular brand of Reader, since the exploit has to target code specific to a Reader. [Example: Foxit exploit won't work against Acrobat or Sumatra]

The real test is when new exploits are discovered, such as in the past against Acrobat and Foxit: they show that these Readers can indeed be exploited.

As to the other brands -- they have been ignored by cybercriminals, probably not because they cannot be exploited, rather, because the number of users is miniscule, therefore, making the effort not worthwhile.

So, one might feel more secure in using one of the lesser-known Readers, but could not say with certainty that it is impervious to exploitation.

Same thing with the Firefox browser. In its early years, no one dared suggest that FF could be exploited, as is the case with IE. Now, it's common place:

Known Vulnerabilities in Mozilla Products
http://www.mozilla.org/security/known-vulnerabilities/

It's just that FF, not being integrated with the Operating System as is IE, is easier to patch very quickly.

For reasons not completely understood, Adobe is not always forthcoming with a quick patch.

From the first PDF link:

Adobe to patch zero-day Reader, Acrobat hole
http://news.cnet.com/8301-27080_3-10416816-245.html

How would PDF Readers such as Sumatra fare should it be exploited? Who knows. Would you feel safe, thinking that it can't be exploited?

NOTE: I have not investigated all of the PDF Readers. That might be a good research project for you to see if there are barebones Readers out there that claim that they can't be exploited to run malicious code.

A parallel exists with the Microsoft Document Viewers. For years, people (including myself) advocated opening unknown MSWord documents in the Viewer, which, it was thought, could not run Macros and other code. Not so, it turns out:

Vulnerability in Microsoft Word Could Allow Remote Code Execution
http://www.microsoft.com/technet/security/Bulletin/ms08-009.mspx

Later, the Excel Viewer:

Vulnerabilities in Microsoft Office Excel Could Cause Remote Code Execution
http://www.microsoft.com/technet/security/bulletin/ms09-009.mspx

While it may give comfort to think that a particular application hasn't been exploited, nonetheless, the potential for such exploitation may exist, and one should have security measures in place to deal with it, as far as possible.

----
rich

 

Re: Testing and Patching

Wow, that's a lot of useful information. Thanks! (Btw, I'm just getting into the IT field (20), and I'm very interested in security issues)

One last thing: I know with google, if you search and find a .pdf file on the internet, it gives you the option to view it as html. Do you think this is safe?

Edit: I just look it up, and google only allows this option for PDFs that it has personally already cached, so it's not all that useful.


However, I did some googling, and I came up with some interesting links.

The first option I can think of to safely open a PDF, is to use google docs to upload and open the PDF file. I would assume, because the application is web based, that there wouldn't be as much of a problem with exploits happening. I could be wrong, but hey, it's worth a shot. Bonus points to anyone who will try this route with a known-infected PDF file in a VM. It would be very interesting to see if google's solution is safe or not, because it ties in so well with Gmail/Google apps.

I also came across a "secure" PDF reader...According to their product page, anyway (Plus it's free as a viewer):
http://www.bluebeam.com/pdfviewer/
I'm going to install this and try it out (Not with any infected files or anything, but just to test it's functionality)


And finally some other options that exist:

Convert a PDF to HTML/TXT:
http://www.adobe.com/products/acrobat/access_onlinetools.html

Convert a PDF to SVG:
http://freesvg.texterity.com:90/

Convert a PDF to TXT:
http://www.ctdeveloping.com/ctdeveloping/products/pdftextreader_info.asp

Online PDF viewers/editors:
http://www.nitropdf.com/free/hammer/index.htm
http://www.pdfescape.com/

 

Welcome to the forums Vicenarian.

I consider myself quite security-conscious, but nonetheless I don't hesitate to open PDFs from the Internet with Adobe Reader, because:

a) I've turned off Adobe Reader JavaScript, and adjusted a few other Adobe Reader settings from their less secure defaults.
b) In my current XP setup, I am running Adobe Reader as 'Basic User' in Software Restriction Policies. In my new Windows 7 x64 setup, I plan on running as a standard (i.e. limited) user.
c) In my current XP setup, I have a program - Comodo Internet Security - that hopefully handles most buffer overflows. In my new Windows 7 x64 setup, Address Space Layout Randomization and hardware-enforced Data Execution Prevention will be used.
d) In my current XP setup, I have execution control via Comodo Internet Security. In my new Windows 7 x64 setup, I plan on having execution control via Software Restriction Policies or AppLocker.
e) My browser is configured to download (with prompting) PDFs, instead of opening them automatically.
f) I keep Adobe Reader up to date.
g) I use realtime antivirus protection that scans PDF files.
h) I use Web of Trust in Firefox to warn about sites that other users have had trouble with.

With such security measures in place, I feel that my risk from malicious PDFs is acceptably low.

 

This, I would re-evaluate.

Check out this site for more information about the difficulty that all AV vendors face with this particular issue:

http://blog.didierstevens.com/