Question about malicious pdf

Hello all,

This question came up after I read this link:
https://www.us-cert.gov/cas/techalerts/TA10-279A.html

Why is a pdf file not recommended to be opened inside a browser whereas the same file can be downloaded and openend separately? I mean if the pdf file is malicious it WILL harm the system whether opened inside the browser or separately right??

Please help

 

No expert here, but the way I interpret it is that the browser opening is potentially more dangerous because it's automatic by default in IE, thus the suggestion to mitigate the problem by disabling that feature in the browser.

 

Hi wat,

What difference does it make if the malicious pdf is opened automatically or manually? If it's bound to damage your system, opening the malicious pdf manually and not automatically in the browser will only delay the inevitable by a few seconds...

 

Maybe the browser plug-in could be exploited? I'm only speculating, of course.

 

That is correct, and I think the advisory covers both scenarios:

As you say, the file can be downloaded, but you have the choice to do so or not.

Whereas,

In this scenario, it is opened without any action on your part.

In both cases, the malicious code will run the exploit if other measures are not in place.

The Advisory's suggestion to disable PDF files from displaying in the browser
prevents the file from opening automatically,
and results in the user being prompted to open the file,
should the user encounter one on a compromised website:



To which the Advisory concludes,

regards,

-rich

 

It's to cover all the circumstances in which a PDF exploit can be used to infect your system.

Just to add to Rmus's post, security about PDF readers isn't just dealing with the risk of a maliciously crafted PDF either.

If a trusted site had been hacked and had a script added to run a particular Exploit Kit - then when you visited that site, the Exploit Kit would attempt to exploit any known vulnerabilities in the PDF plugin in the browser.

For that reason it's generally safer not to even have a PDF plugin installed, but it's also perfectly reasonable to mitigate this threat with things like Noscript, a sandbox, or some kind of anti-executable/firewall.

Just take a look at these stats from a malware server, a decent proportion of the successful exploits were due to vulnerabilities in the PDF plugin:
http://labs.m86security.com/wp-content/uploads/2011/06/Statistics.png

The popular myth is that Adobe Flash and PDF are the most insecure apps, but notably Sun Java is actually the most exploited application from all the stats I've seen.

 

Hi RJK3,

Nice summary of the current scene.

I haven't looked at exploit kits in a while - in the past, the payload has been trojan executables. Has anything changed? Your link doesn't give details about the payloads.

If the payloads have not changed, then it really doesn't matter which software vulnerability is being exploited,
since the protective measures you've mentioned take care of the problem, should the user be caught without the current update of the software:

​

regards,

-rich

 

Hi Rich - I suppose not much has changed then in terms of payloads. Also probably many of the vulnerabilities from when you last looked are still being successful today.

That particular stats page was from a Blackhole Exploit Kit, which usually leads to a banking trojan such as Zeus/Zbot.

Most of the people I help post-virus infection think that security starts and finishes with an antivirus; I can easily imagine many of them simply clicking 'allow' when presented with such a message

 

Sorry for late reply. So the question is if a malicious pdf file,
which exploits the pdf browser plugin is saved and opened
separately, will it cause any problems or not ?

 

It depends!

• If opened in a PDF Reader other than Adobe, probably not, since exploits against other Readers are not so widespread.
  
  
• If opened in a current version of Adobe with Sandbox, probably not, since it is supposed to contain the malware within its sandbox.
  
  
• If opened in an older version of Adobe, several things might happen (assuming the vulnerability is not patched):
  
  
  • If the code inside the PDF file attempts to connect to the internet to download malware, a firewall that monitors outbound connections will alert:
    
    
    
    
    
  • If no firewall, or if the PDF file has a malware executable embedded, then other protection will be needed to block it.

So, various scenarios are possible!

regards,

-rich

 

Thx for the quick reply Rmus

Am using LUA/SRP/Sandboxie/NIS 2012/EMET/Secunia PSI
in Win XP SP3. Do you think a vulnerable pdf browser plugin
being exploited will affect a system with above security
config?

 

I know that Sandboxie is supposed to contain any malware that executes, and SRP is supposed to be effective as Default-Deny, but I have not tested any of those solutions myself, so I can not speak with any first hand knowledge.

regards,

-rich