Recent explosions of Petko D. Petkov (pdp)’s pwning lust should teach us a lesson: documents should be documents, not programs!

We’ve seen MP3 tunes pwning Firefox (and NoScript promptly counter-pwning), Windows playlists pwning browser security, and finally PDF documents pwning Windows PCs.
This latest “disclosure” sounds like a strange case of pwnatio precox, since Petko didn’t bother to reveal any detail about the flaw. All he said is

Adobe Acrobat/Reader PDF documents can be used to compromise your Windows box. Completely!!! Invisibly and unwillingly!!! All it takes is to open a PDF document or stumble across a page which embeds one.

I’ve got no problem with believing his words, since the stuff we keep calling “documents” became containers for all kinds of executable code long time ago, either intentionally (script embedding) or by accident (buffer overflows, often due to an overly complex format driven by creeping featurism).

I (like many people, I guess) do have problems with his suggested work-around:

My advise for you is not to open any PDF files (locally or remotely).

This is something no business can afford, plain and simple.
The real fix would be vendors stopping with these crazy mixes of data and code, but it’s something they seem not even considering.
So, how can we mitigate risks of this kind, which surely won’t go away even when Adobe will fix this specific PDF issue?

OK, I’m obviously biased here, but did you ever notice the

NoScript Options/Advanced/Plugins

panel?
NoScript content blocking options
It provides quite a flexible way to block Java, Flash, Silverlight and all the other plugins such as Acrobat Viewer, Windows Media Player and QuickTime, just to name the ones featured in pdp’s researches.
If you check all the

Forbid…

checkboxes but the last (IFRAMES), all types of plugin-handled, potentially dangerous content will be blocked by default if coming from unknown (and therefore untrusted) sites.
You’ll get a nice placeholder with the NoScript logo instead: you just click it, and you activate the content on the fly if you deem it’s trustworthy.
If you’re a paranoid like me, you may want to trade some usability for maximum security and check also the

Apply these restrictions to trusted sites too

option, which will mandate on-demand activation everywhere.

I heard someone saying

security × usability = K

.
If it’s true (and I hope some day it won’t necessarily be), NoScript tries hard to pump that

K

as much high as it can be.

6 Responses to “Don’t Open That Doc!”

  1. #1 Fulippo says:

    “My advise for you is not to open any PDF files (locally or remotely).”
    I think that adobe wouldn’t agree with him.. ;)
    As always, noScript seems to be the all-in-one solution for a web safe navigation but it can’t be useful in a non-web contest where pdfs are often used.
    I would be curious to know what kind of vulnerability the pdf can use.. or maybe it’s just a personal quest against Adobe?

  2. #2 Giorgio says:

    The video and the few details Petko added in this comment and later, may suggest that

    1. We’re still in the cross-application request forgery domain, since it requires IE7
    2. It shouldn’t work on Vista (nor on any non-Windows OS, of course — worth to be said for all those Microsoft zealots out there)
    3. It should be mitigated by using an alternate PDF renderer, such as Sumatra PDF Portable (open source) or Foxit Reader
  3. #3 nap says:

    I’ve been getting spam as pdf files. Didn’t open them because i guessed there was some virus in them (why else would you spam with pdfs?). If you want I can maybe recover some if you want to dissect them.

  4. #4 Giorgio says:

    @nap:
    “Proper” PDF spam is a well known trend, apparently declining these days, not necessarily an infestation vector.
    Nevertheless, PDF as a malware vehicle is quite old news, so malicious mail with an attachment exploiting either an old or a new PDF vulnerability wouldn’t come as a big surprise.

  5. #5 securology says:

    Still more separation of code and data

    Separating code from data is a HUGE problem (possibly a root of all remote code execution evil). Here’s more info, some of it new, some of it very old …

  6. #6 Tom Hamilton says:

    Dear Giorgio,
    I have a apple computer, with the “tiger system” will no script work with it and is it necessary (are there javascript problems that will affect my computer?)
    thanks for your time.

Bad Behavior has blocked 7078 access attempts in the last 7 days.