Adobe Acrobat and the Dangers of Browser Plug-ins

Discussion in 'other security issues & news' started by Rmus, Apr 29, 2009.

Thread Status:
Not open for further replies.
  1. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    It's not just Adobe, of course, for other Applications have Plug-ins. These show in Firefox:

    ff-PluginsDisable.gif

    If I had Quicktime installed, I would see that Plug-in.

    Plug-in (computing)
    http://en.wikipedia.org/wiki/Plugin
    "On demand" is a nice concept. The Adobe Acrobat Plug-in allows the user to have the PDF file open directly in the Browser, rather than having to launch Acrobat Reader.

    However, like many "features," Plug-ins can be exploited for less than admirable purposes. Many of the current exploits against Adobe's Acrobat Reader use code specifying the Plug-in. Excerpt from an analysis:


    code1.gif

    Another code I've seen that works is:

    Code:
    <script>
    			
    document.write('<iframe src="test.pdf"></iframe>')
    
    </script>
    
    Unfortunately, these have the potential to bypass the Browser's settings to Prompt for Action. I've tested in both Firefox and Opera and found this to be so.

    If you disable the Plug-ins, the Drive-by exploit will not work. In normal PDF viewing of a document on the Web you will get a Prompt for action, where Opening the file will launch the user's Reader, whatever it may be:

    ff-pdfDownloadPrompt.gif

    You can test your browser's settings as I've done. Just paste the above code into Notepad and save as an HTML file. Put it and any PDF file in the same directory, then open the HTML file in your Browser. (Make sure your pdf filename is the same that is in the code)

    folder.gif

    There are other ways of stopping this exploit as I've shown in other threads, but handling the Plug-in issue would seem to be an easy one to take care of. It might cause people to become more informed about Plug-ins in general.

    Stay Alert!

    ----
    rich
     
    Last edited: May 1, 2009
  2. Mrkvonic

    Mrkvonic Linux Systems Expert

    Joined:
    May 9, 2005
    Posts:
    8,695
    One thing regarding Foxit ... which I've also mentioned in an article on the subject, the vulnerability is in the plugin for jbig2 and jpeg2000 images, but this plugin is not installed by default.

    So, you get an update for something you might not be vulnerable in the first place.

    See here if you're interested:
    http://www.dedoimedo.com/images/com...bilities-foxit-reader-jbig2-vulnerability.jpg

    It's like Office updates for Outlook. Even though I don't use it, I get to see it here and there occasionally ...

    Cheers,
    Mrk
     
  3. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    Evidently there has been a Foxit plugin for Firefox since Foxit v.3 :

    Foxit PDF Reader 3.0 for Windows now works with Firefox
    http://www.downloadsquad.com/2008/11/24/foxit-pdf-reader-3-0-for-windows-now-works-with-firefox/

    In several forums users have complained that before this plugin, you had to save the PDF file and then open.

    This is not correct, as shown in my screen shot above. When you are prompted (both in Firefox and Opera), one option is to open the file directly in the Reader. True, you have a separate instance of Foxit running rather than reading the file in the browser. However, this is not much of an inconvenience when you realize that you effectively prevent the drive-by download attack, should such an exploit be targeted against Foxit later!

    EDIT: By separate instance of Foxit running, I mean the Reader application launches. But a Reader process starts even when the PDF document displays in the browser. You can verify this in Task Manager.

    Here is the potential danger of the drive-by attack: It is an exploit against the Reader, not the Browser. Disabling the Plugin prevents the Reader process from starting and forces the browser to prompt the user for action.

    ----
    rich
     
    Last edited: Apr 30, 2009
Loading...
Thread Status:
Not open for further replies.