Report: Malicious PDF files comprised 80 percent of all exploits for 4th quarter 2009

Discussion in 'other security issues & news' started by MrBrian, Feb 16, 2010.

Thread Status:
Not open for further replies.
  1. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
  2. acr1965

    acr1965 Registered Member

    Joined:
    Oct 12, 2006
    Posts:
    4,954
    This article is a little confusing. The title says Report: Malicious PDF files comprised 80 percent of all exploits for 2009. But the article says "A newly released report shows that based on more than a trillion Web requests processed in 2009, the use of malicious PDF files exploiting flaws in Adobe Reader/Adobe Acrobat not only outpaced the use of Flash exploits, but also, grew to 80% of all exploits the company encountered throughout the year."

    The "report" highlighted in red above was, appropriately, a direct pdf link to the report cited. :argh:
     
  3. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    Interesting article, MrBrian!

    Others have also noted the trend towards exploiting Adobe:

    2010 Predictions
    http://www.avertlabs.com/research/b...of-a-major-social-networking-security-breach/
    From the zdnet blog:

    This, of course, applies to other software:

    https://www.bluecoat.com/blog/look-google-hack-aka-aurora-attack
    From the zdnet blog:

    I divided this into two questions. You can replace "Adobe" with "Microsoft" and arrive at the same answers.

    For [1] the answer depends on your perspective. If you accept the premise that any set of code has the potential to be exploited, then no one product is any more or less insecure than another. One of the reader comments at the end of the blog stated, "Use Foxit." However, Foxit has been targeted:

    foxit-2pdfAnalysis.gif


    foxit-2pdfCVE.gif

    So, Foxit is neither more nor less secure than Adobe, but because of Adobe's market share, its Reader is targeted more than Foxit's, reinforcing one of the points of the zdnet blog.

    For [2] the answer surely is Yes. And here, we reach an interesting dilemma: using the latest version prevents exploitation, yet there have been instances where Adobe's (and Microsoft's) update has been delayed, exposing millions to the possibility of infection.

    However, just because Adobe issues one doesn't mean that everyone automatically updates. This of course, is not specific to Adobe users, because the vulnerability in Windows that the Conficker worm exploited had been patched for two months prior to the emergence of said worm in the wild.

    On the other hand, if you follow these PDF exploits, you realize that they all have the same goal: to install a trojan executable.

    PDF Babushka
    2010-01-14
    http://isc.sans.org/diary.html?storyid=7984
    Unfortunately, the many solutions available for specific prevention of such an exploit (installation of a trojan downloader by remote code execution) remain in the domain of the niche group of people who frequent security forums.

    [​IMG]

    Cybercriminals could care less about discussions of HIPS or execution protection security, since they know only a small minority of computer users have such protection.

    And so it goes...

    ----
    rich
     
  4. Vicenarian

    Vicenarian Registered Member

    Joined:
    Feb 17, 2010
    Posts:
    7
    Hey, I actually just joined this forum in regard to this issue. I'm no security expert, but I was thinking this morning, it would be great if somebody could do a test on the major PDF readers out there and see which one's are more secure. If I understand correctly, some of the more basic PDF readers out there do not include javascript functionality, so they would be more secure.

    So, does anybody out there who has a linux machine, running windows inside a vhd, want to test this out? I don't have the ability to right now, but yeah, if somebody wanted to it would make a great experiment:

    - Basically, set up a clean install of windows in the VM, with basic security software (to detect an infection).

    - Download the various PDF readers out there (Adobe, FoxIT, Sumatra, etc.) and test each of them using known malicious PDF files.

    - Find out which one's are the safest.

    - Post the results here.
     
  5. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    Testing and Patching

    Not all of the exploits against the Acrobat Reader required Javascript:

    Adobe Acrobat pdf 0-day exploit, No JavaScript needed!
    http://isc.sans.org/diary.html?storyid=5926

    Why turning off Javascript won't help this time
    http://blog.fireeye.com/research/2009/07/actionscript_heap_spray.html

    YA0D (Yet Another 0-Day) in Adobe Flash player
    http://isc.sans.org/diary.html?storyid=6847

    Foxit is one of the other Readers that includes Javascript:

    A Very Brief History of Foxit Reader and JavaScript
    http://blog.didierstevens.com/category/vulnerabilities/
    That test would be inconclusive, in that it would just demonstrate that known exploits won't work on the latest versions of the Readers, or on a particular brand of Reader, since the exploit has to target code specific to a Reader. [Example: Foxit exploit won't work against Acrobat or Sumatra]

    The real test is when new exploits are discovered, such as in the past against Acrobat and Foxit: they show that these Readers can indeed be exploited.

    As to the other brands -- they have been ignored by cybercriminals, probably not because they cannot be exploited, rather, because the number of users is miniscule, therefore, making the effort not worthwhile.

    So, one might feel more secure in using one of the lesser-known Readers, but could not say with certainty that it is impervious to exploitation.

    Same thing with the Firefox browser. In its early years, no one dared suggest that FF could be exploited, as is the case with IE. Now, it's common place:

    Known Vulnerabilities in Mozilla Products
    http://www.mozilla.org/security/known-vulnerabilities/
    It's just that FF, not being integrated with the Operating System as is IE, is easier to patch very quickly.

    For reasons not completely understood, Adobe is not always forthcoming with a quick patch.

    From the first PDF link:

    Adobe to patch zero-day Reader, Acrobat hole
    http://news.cnet.com/8301-27080_3-10416816-245.html
    How would PDF Readers such as Sumatra fare should it be exploited? Who knows. Would you feel safe, thinking that it can't be exploited?

    NOTE: I have not investigated all of the PDF Readers. That might be a good research project for you to see if there are barebones Readers out there that claim that they can't be exploited to run malicious code.

    A parallel exists with the Microsoft Document Viewers. For years, people (including myself) advocated opening unknown MSWord documents in the Viewer, which, it was thought, could not run Macros and other code. Not so, it turns out:

    Vulnerability in Microsoft Word Could Allow Remote Code Execution
    http://www.microsoft.com/technet/security/Bulletin/ms08-009.mspx
    Later, the Excel Viewer:

    Vulnerabilities in Microsoft Office Excel Could Cause Remote Code Execution
    http://www.microsoft.com/technet/security/bulletin/ms09-009.mspx
    While it may give comfort to think that a particular application hasn't been exploited, nonetheless, the potential for such exploitation may exist, and one should have security measures in place to deal with it, as far as possible.

    ----
    rich
     
  6. Vicenarian

    Vicenarian Registered Member

    Joined:
    Feb 17, 2010
    Posts:
    7
    Re: Testing and Patching

    Wow, that's a lot of useful information. Thanks! (Btw, I'm just getting into the IT field (20), and I'm very interested in security issues)

    One last thing: I know with google, if you search and find a .pdf file on the internet, it gives you the option to view it as html. Do you think this is safe?

    Edit: I just look it up, and google only allows this option for PDFs that it has personally already cached, so it's not all that useful.


    However, I did some googling, and I came up with some interesting links.

    The first option I can think of to safely open a PDF, is to use google docs to upload and open the PDF file. I would assume, because the application is web based, that there wouldn't be as much of a problem with exploits happening. I could be wrong, but hey, it's worth a shot. Bonus points to anyone who will try this route with a known-infected PDF file in a VM. It would be very interesting to see if google's solution is safe or not, because it ties in so well with Gmail/Google apps.

    I also came across a "secure" PDF reader...According to their product page, anyway (Plus it's free as a viewer):
    http://www.bluebeam.com/pdfviewer/
    I'm going to install this and try it out (Not with any infected files or anything, but just to test it's functionality)


    And finally some other options that exist:

    Convert a PDF to HTML/TXT:
    http://www.adobe.com/products/acrobat/access_onlinetools.html

    Convert a PDF to SVG:
    http://freesvg.texterity.com:90/

    Convert a PDF to TXT:
    http://www.ctdeveloping.com/ctdeveloping/products/pdftextreader_info.asp

    Online PDF viewers/editors:
    http://www.nitropdf.com/free/hammer/index.htm
    http://www.pdfescape.com/
     
    Last edited: Feb 17, 2010
  7. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    Welcome to the forums Vicenarian.

    I consider myself quite security-conscious, but nonetheless I don't hesitate to open PDFs from the Internet with Adobe Reader, because:

    a) I've turned off Adobe Reader JavaScript, and adjusted a few other Adobe Reader settings from their less secure defaults.
    b) In my current XP setup, I am running Adobe Reader as 'Basic User' in Software Restriction Policies. In my new Windows 7 x64 setup, I plan on running as a standard (i.e. limited) user.
    c) In my current XP setup, I have a program - Comodo Internet Security - that hopefully handles most buffer overflows. In my new Windows 7 x64 setup, Address Space Layout Randomization and hardware-enforced Data Execution Prevention will be used.
    d) In my current XP setup, I have execution control via Comodo Internet Security. In my new Windows 7 x64 setup, I plan on having execution control via Software Restriction Policies or AppLocker.
    e) My browser is configured to download (with prompting) PDFs, instead of opening them automatically.
    f) I keep Adobe Reader up to date.
    g) I use realtime antivirus protection that scans PDF files.
    h) I use Web of Trust in Firefox to warn about sites that other users have had trouble with.

    With such security measures in place, I feel that my risk from malicious PDFs is acceptably low.
     
  8. 0peratorX

    0peratorX Registered Member

    Joined:
    Feb 17, 2010
    Posts:
    16
    This, I would re-evaluate.

    Check out this site for more information about the difficulty that all AV vendors face with this particular issue:

    http://blog.didierstevens.com/
     
Loading...
Thread Status:
Not open for further replies.