dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
9
share rss forum feed

mysec
Premium
join:2005-11-29
kudos:4
reply to Cronk

Re: Open a pdf in browser vs in application

said by Cronk:

I'm referring to whether there is any added risk as a result of going through the browser. The inability to do multiple manual scans is not in the picture here since the users in question would not ever scan first anyway.

Does opening it in the browser create the possibility that the exploit will be able to poke for vulnerabilities in the browser, that would otherwise not have been exploitable if the pdf was opened in the application?


The current PDF exploits that are part of the Exploit Kits hosted on malware sites one may likely encounter via some type of redirection, aren't looking for vulnerabilities in the browser, rather, in the PDF application itself.

Therefore, whether the PDF file is opened automatically via a browser plug-in, or manually by a user, the exploit code will run, if the PDF Reader isn't patched for that particular vulnerability.

Here is some typical download code in a booby-trapped PDF file:







Again, if the PDF Reader is not patched against a particular vulnerability, then the download will occur automatically and the user potentially will be infected, barring some other security measure blocking the download.

The safety measure in having the PDF plug-in disabled, or whitelisted for certain sites, is that the exploit code on the malware site that triggers the download will cause the browser to alert the user:




If the user's policy is not to download anything that she/he hasn't gone looking for, the user will cancel the prompt and move on -- exploit fails.

----
rich


Lagz
Premium
join:2000-09-03
The Rock

To focus on something Blackbird was saying in an earlier post about extra layers of vulnerability. In the recent Foxit plugin vulnerability, it was the plugin that was at fault and not Foxit reader directly.
»www.theregister.co.uk/2013/01/11···in_vuln/

But the bug is not triggered by a booby-trapped document, which is the usual way of infecting systems running insecure PDF readers. Instead, clicking on a link to any PDF that deliberately includes a very long query string after the filename causes a buffer overflow in the Foxit plugin.



Whether that's currently being exploited on a particular malware site currently or not shouldn't be at issue, but the fact that even the plugins themselves add potential vulnerability.
--
When somebody tells you nothing is impossible, ask him to dribble a football.

mysec
Premium
join:2005-11-29
kudos:4

1 recommendation

said by Lagz:

In the recent Foxit plugin vulnerability, it was the plugin that was at fault and not Foxit reader directly.


Thanks for that update! More reason to keep the plugin disabled.

Note, however, that there is a social engineering component to this exploit:

Italian security researcher Andrea Micalizzi discovered that the latest version of the software crashes if users are tricked into clicking on an overly long web link.

----
rich


Lagz
Premium
join:2000-09-03
The Rock

1 recommendation

said by mysec:

said by Lagz:

In the recent Foxit plugin vulnerability, it was the plugin that was at fault and not Foxit reader directly.


Thanks for that update! More reason to keep the plugin disabled.

Note, however, that there is a social engineering component to this exploit:

Italian security researcher Andrea Micalizzi discovered that the latest version of the software crashes if users are tricked into clicking on an overly long web link.

----
rich

Yep. Sadly there is no fix or update for social engineering.
--
When somebody tells you nothing is impossible, ask him to dribble a football.

mysec
Premium
join:2005-11-29
kudos:4

1 recommendation

said by Lagz:

Yep. Sadly there is no fix or update for social engineering.


I'm going make a note of that!

----
rich


Blackbird
Built for Speed
Premium
join:2005-01-14
Fort Wayne, IN
kudos:3
Reviews:
·Frontier Communi..
reply to mysec

said by mysec:

... Note, however, that there is a social engineering component to this exploit:

Italian security researcher Andrea Micalizzi discovered that the latest version of the software crashes if users are tricked into clicking on an overly long web link.

----
rich

Much real-world digital maliciousness relies on multiple factors for success, just one of which is social engineering. This is one of the realities that complicates the analysis of a computer exploit event or the prevention of similar attacks against other computer owners. Your software can be fully patched, yet one oops in "safe hex" habits and trouble may loom. Likewise, you can be as "safe hex" careful as humanly possible, but leave some program on a system unpatched and trouble may loom. And so on... Watching posts in this forum over time, one becomes highly aware of just how many ways the various exploit factors interplay to both cause confusion and to make nearly impossible any simple, one-size-fits-all solution to preventing infections.
--
“The American Republic will endure until the day Congress discovers that it can bribe the public with the public's money.” A. de Tocqueville