Recent explosions of Petko D. Petkov (pdp)'s pwning lust should teach us a lesson: documents should be documents, not programs!
We've seen MP3 tunes pwning Firefox (and NoScript promptly counter-pwning), Windows playlists pwning browser security, and finally PDF documents pwning Windows PCs.
This latest "disclosure" sounds like a strange case of pwnatio precox, since Petko didn't bother to reveal any detail about the flaw. All he said is
Adobe Acrobat/Reader PDF documents can be used to compromise your Windows box. Completely!!! Invisibly and unwillingly!!! All it takes is to open a PDF document or stumble across a page which embeds one.
I've got no problem with believing his words, since the stuff we keep calling "documents" became containers for all kinds of executable code long time ago, either intentionally (script embedding) or by accident (buffer overflows, often due to an overly complex format driven by creeping featurism).
I (like many people, I guess) do have problems with his suggested work-around:
My advise for you is not to open any PDF files (locally or remotely).
This is something no business can afford, plain and simple.
The real fix would be vendors stopping with these crazy mixes of data and code, but it's something they seem not even considering.
So, how can we mitigate risks of this kind, which surely won't go away even when Adobe will fix this specific PDF issue?
OK, I'm obviously biased here, but did you ever notice the
panel?
It provides quite a flexible way to block Java, Flash, Silverlight and all the other plugins such as Acrobat Viewer, Windows Media Player and QuickTime, just to name the ones featured in pdp's researches.
If you check all the
checkboxes but the last (IFRAMES), all types of plugin-handled, potentially dangerous content will be blocked by default if coming from unknown (and therefore untrusted) sites.
You'll get a nice placeholder with the NoScript logo instead: you just click it, and you activate the content on the fly if you deem it's trustworthy.
If you're a paranoid like me, you may want to trade some usability for maximum security and check also the
option, which will mandate on-demand activation everywhere.
I heard someone saying
.
If it's true (and I hope some day it won't necessarily be), NoScript tries hard to pump that
as much high as it can be.
September 21st, 2007 at 8:16 am
"My advise for you is not to open any PDF files (locally or remotely)."
I think that adobe wouldn't agree with him.. ;)
As always, noScript seems to be the all-in-one solution for a web safe navigation but it can't be useful in a non-web contest where pdfs are often used.
I would be curious to know what kind of vulnerability the pdf can use.. or maybe it's just a personal quest against Adobe?
September 21st, 2007 at 8:49 am
The video and the few details Petko added in this comment and later, may suggest that
September 21st, 2007 at 9:07 am
I've been getting spam as pdf files. Didn't open them because i guessed there was some virus in them (why else would you spam with pdfs?). If you want I can maybe recover some if you want to dissect them.
September 21st, 2007 at 10:33 am
@nap:
"Proper" PDF spam is a well known trend, apparently declining these days, not necessarily an infestation vector.
Nevertheless, PDF as a malware vehicle is quite old news, so malicious mail with an attachment exploiting either an old or a new PDF vulnerability wouldn't come as a big surprise.
September 21st, 2007 at 11:55 am
Still more separation of code and data
Separating code from data is a HUGE problem (possibly a root of all remote code execution evil). Here's more info, some of it new, some of it very old ...
April 4th, 2008 at 10:07 pm
Dear Giorgio,
I have a apple computer, with the "tiger system" will no script work with it and is it necessary (are there javascript problems that will affect my computer?)
thanks for your time.