Adobe Acrobat and the Dangers of Browser Plug-ins

It's not just Adobe, of course, for other Applications have Plug-ins. These show in Firefox:

​

If I had Quicktime installed, I would see that Plug-in.

Plug-in (computing)
http://en.wikipedia.org/wiki/Plugin

"On demand" is a nice concept. The Adobe Acrobat Plug-in allows the user to have the PDF file open directly in the Browser, rather than having to launch Acrobat Reader.

However, like many "features," Plug-ins can be exploited for less than admirable purposes. Many of the current exploits against Adobe's Acrobat Reader use code specifying the Plug-in. Excerpt from an analysis:

​

Another code I've seen that works is:

Code:

<script>
			
document.write('<iframe src="test.pdf"></iframe>')

</script>

Unfortunately, these have the potential to bypass the Browser's settings to Prompt for Action. I've tested in both Firefox and Opera and found this to be so.

If you disable the Plug-ins, the Drive-by exploit will not work. In normal PDF viewing of a document on the Web you will get a Prompt for action, where Opening the file will launch the user's Reader, whatever it may be:

​

You can test your browser's settings as I've done. Just paste the above code into Notepad and save as an HTML file. Put it and any PDF file in the same directory, then open the HTML file in your Browser. (Make sure your pdf filename is the same that is in the code)

​

There are other ways of stopping this exploit as I've shown in other threads, but handling the Plug-in issue would seem to be an easy one to take care of. It might cause people to become more informed about Plug-ins in general.

Stay Alert!

----
rich

 

One thing regarding Foxit ... which I've also mentioned in an article on the subject, the vulnerability is in the plugin for jbig2 and jpeg2000 images, but this plugin is not installed by default.

So, you get an update for something you might not be vulnerable in the first place.

See here if you're interested:
http://www.dedoimedo.com/images/com...bilities-foxit-reader-jbig2-vulnerability.jpg

It's like Office updates for Outlook. Even though I don't use it, I get to see it here and there occasionally ...

Cheers,
Mrk

 

Evidently there has been a Foxit plugin for Firefox since Foxit v.3 :

Foxit PDF Reader 3.0 for Windows now works with Firefox
http://www.downloadsquad.com/2008/11/24/foxit-pdf-reader-3-0-for-windows-now-works-with-firefox/

In several forums users have complained that before this plugin, you had to save the PDF file and then open.

This is not correct, as shown in my screen shot above. When you are prompted (both in Firefox and Opera), one option is to open the file directly in the Reader. True, you have a separate instance of Foxit running rather than reading the file in the browser. However, this is not much of an inconvenience when you realize that you effectively prevent the drive-by download attack, should such an exploit be targeted against Foxit later!

EDIT: By separate instance of Foxit running, I mean the Reader application launches. But a Reader process starts even when the PDF document displays in the browser. You can verify this in Task Manager.

Here is the potential danger of the drive-by attack: It is an exploit against the Reader, not the Browser. Disabling the Plugin prevents the Reader process from starting and forces the browser to prompt the user for action.

----
rich