dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
1529
share rss forum feed

Cronk

join:2005-07-16

Open a pdf in browser vs in application

Is it more risky to open a pdf document in a browser, using a plugin, as opposed to disabling the plugin and opening it in an application like Adobe Reader or Foxit? If so, what makes it more risky? Thanks



Blackbird
Built for Speed
Premium
join:2005-01-14
Fort Wayne, IN
kudos:3
Reviews:
·Frontier Communi..

2 recommendations

From my perspective, opening a pdf (or any other data/document file) from within a browser at a minimum means I can't scan it with multiple anti-malware tools as I normally do before exposing my system to its contents. To me, layered security means not trusting in simply one layer such as just a live AV that can miss something, especially almost-new exploits. Another thought is that using a plug-in (which in turn invokes the application program itself) within the browser add two more layers of potential security vulnerability ahead of the app alone. However, I realize that many users will trade off the speed and convenience of in-browser viewing versus the downloading/extra-scanning time and effort that provide the increased security. For a lot of users, convenience always trumps security... which is one reason why so many users' computers get infected.
--
“The American Republic will endure until the day Congress discovers that it can bribe the public with the public's money.” A. de Tocqueville



StuartMW
Who Is John Galt?
Premium
join:2000-08-06
Galt's Gulch
kudos:2
reply to Cronk

»Adobe Reader display PDF in Browser?

»'Better than Adobe' Foxit PDF plugin hit by worse-than-Adobe
--
Don't feed trolls--it only makes them grow!



jaykaykay
4 Ever Young
Premium,MVM
join:2000-04-13
USA
kudos:24
reply to Cronk

Does anyone know if Nitro is affected? I normally don't open pdf. files in my browser, but nother person who uses this system does.


Cronk

join:2005-07-16

3 edits
reply to Blackbird

I'm referring to whether there is any added risk as a result of going through the browser. The inability to do multiple manual scans is not in the picture here since the users in question would not ever scan first anyway.

Blackbird touched on the risks I am asking about when he said:

said by Blackbird:

..using a plug-in (which in turn invokes the application program itself) within the browser add two more layers of potential security vulnerability ahead of the app alone.

although I can't say I understand the two layers he refers to. Does opening it in the browser create the possibility that the exploit will be able to poke for vulnerabilities in the browser, that would otherwise not have been exploitable if the pdf was opened in the application?


Blackbird
Built for Speed
Premium
join:2005-01-14
Fort Wayne, IN
kudos:3
Reviews:
·Frontier Communi..

1 recommendation

said by Cronk:

...

said by Blackbird:

..using a plug-in (which in turn invokes the application program itself) within the browser add two more layers of potential security vulnerability ahead of the app alone.

although I can't say I understand the two layers he refers to. Does opening it in the browser create the possibility that the exploit will be able to poke for vulnerabilities in the browser, that would otherwise not have been exploitable if the pdf was opened in the application?

The browser must communicate with the plug-in and the plug-in communicates with its related app which then ostensibly communicates with the target file. Those extra two layers of data exchange and interface with the OS (browser/plugin and plugin/app) establish at least the possibility for things like unchecked buffer overflows plus who-knows-what other possible hiccups that some creative hackers might discover. Even if the app itself is airtight, there are two added levels for mischief to occur when viewing through the browser... though that's not to say both added levels are equally vulnerable or are easy to code an exploit for. But they do stand as added code that can be messed with... and I prefer to keep all that to a minimum by simply downloading the file, scanning it several ways, and opening it directly with the app of choice.
--
“The American Republic will endure until the day Congress discovers that it can bribe the public with the public's money.” A. de Tocqueville

Cronk

join:2005-07-16

OK thanks.


mysec
Premium
join:2005-11-29
kudos:4
reply to Cronk

said by Cronk:

I'm referring to whether there is any added risk as a result of going through the browser. The inability to do multiple manual scans is not in the picture here since the users in question would not ever scan first anyway.

Does opening it in the browser create the possibility that the exploit will be able to poke for vulnerabilities in the browser, that would otherwise not have been exploitable if the pdf was opened in the application?


The current PDF exploits that are part of the Exploit Kits hosted on malware sites one may likely encounter via some type of redirection, aren't looking for vulnerabilities in the browser, rather, in the PDF application itself.

Therefore, whether the PDF file is opened automatically via a browser plug-in, or manually by a user, the exploit code will run, if the PDF Reader isn't patched for that particular vulnerability.

Here is some typical download code in a booby-trapped PDF file:







Again, if the PDF Reader is not patched against a particular vulnerability, then the download will occur automatically and the user potentially will be infected, barring some other security measure blocking the download.

The safety measure in having the PDF plug-in disabled, or whitelisted for certain sites, is that the exploit code on the malware site that triggers the download will cause the browser to alert the user:




If the user's policy is not to download anything that she/he hasn't gone looking for, the user will cancel the prompt and move on -- exploit fails.

----
rich


Lagz
Premium
join:2000-09-03
The Rock

To focus on something Blackbird was saying in an earlier post about extra layers of vulnerability. In the recent Foxit plugin vulnerability, it was the plugin that was at fault and not Foxit reader directly.
»www.theregister.co.uk/2013/01/11···in_vuln/

But the bug is not triggered by a booby-trapped document, which is the usual way of infecting systems running insecure PDF readers. Instead, clicking on a link to any PDF that deliberately includes a very long query string after the filename causes a buffer overflow in the Foxit plugin.



Whether that's currently being exploited on a particular malware site currently or not shouldn't be at issue, but the fact that even the plugins themselves add potential vulnerability.
--
When somebody tells you nothing is impossible, ask him to dribble a football.

mysec
Premium
join:2005-11-29
kudos:4

1 recommendation

said by Lagz:

In the recent Foxit plugin vulnerability, it was the plugin that was at fault and not Foxit reader directly.


Thanks for that update! More reason to keep the plugin disabled.

Note, however, that there is a social engineering component to this exploit:

Italian security researcher Andrea Micalizzi discovered that the latest version of the software crashes if users are tricked into clicking on an overly long web link.

----
rich


Lagz
Premium
join:2000-09-03
The Rock

1 recommendation

said by mysec:

said by Lagz:

In the recent Foxit plugin vulnerability, it was the plugin that was at fault and not Foxit reader directly.


Thanks for that update! More reason to keep the plugin disabled.

Note, however, that there is a social engineering component to this exploit:

Italian security researcher Andrea Micalizzi discovered that the latest version of the software crashes if users are tricked into clicking on an overly long web link.

----
rich

Yep. Sadly there is no fix or update for social engineering.
--
When somebody tells you nothing is impossible, ask him to dribble a football.

mysec
Premium
join:2005-11-29
kudos:4

1 recommendation

said by Lagz:

Yep. Sadly there is no fix or update for social engineering.


I'm going make a note of that!

----
rich


Blackbird
Built for Speed
Premium
join:2005-01-14
Fort Wayne, IN
kudos:3
Reviews:
·Frontier Communi..
reply to mysec

said by mysec:

... Note, however, that there is a social engineering component to this exploit:

Italian security researcher Andrea Micalizzi discovered that the latest version of the software crashes if users are tricked into clicking on an overly long web link.

----
rich

Much real-world digital maliciousness relies on multiple factors for success, just one of which is social engineering. This is one of the realities that complicates the analysis of a computer exploit event or the prevention of similar attacks against other computer owners. Your software can be fully patched, yet one oops in "safe hex" habits and trouble may loom. Likewise, you can be as "safe hex" careful as humanly possible, but leave some program on a system unpatched and trouble may loom. And so on... Watching posts in this forum over time, one becomes highly aware of just how many ways the various exploit factors interplay to both cause confusion and to make nearly impossible any simple, one-size-fits-all solution to preventing infections.
--
“The American Republic will endure until the day Congress discovers that it can bribe the public with the public's money.” A. de Tocqueville

Cronk

join:2005-07-16
reply to Cronk

I've just installed FoxIt reader on a Vista machine. During install I de-selected the browser plugins and told it do not open pdf's in the browser when it asked me. Yet when I am using Chrome, pdf files still open in the browser. Any ideas?

Thanks



Blackbird
Built for Speed
Premium
join:2005-01-14
Fort Wayne, IN
kudos:3
Reviews:
·Frontier Communi..

1 recommendation

said by Cronk:

I've just installed FoxIt reader on a Vista machine. During install I de-selected the browser plugins and told it do not open pdf's in the browser when it asked me. Yet when I am using Chrome, pdf files still open in the browser. Any ideas?

Doesn't Chrome have a built-in pdf plug-in viewer that you have to manually disable to stop in-browser viewing? (in the address bar, enter about:plugins > locate Chrome pdf viewer > click Disable)
--
“The American Republic will endure until the day Congress discovers that it can bribe the public with the public's money.” A. de Tocqueville


Phoenix22
Death From Above
Premium
join:2001-12-11
SOG C&C Nrth
reply to jaykaykay

OMG!


Mele20
Premium
join:2001-06-05
Hilo, HI
kudos:5

1 recommendation

reply to Cronk

Foxit has too many problems. You are better off with something like Evince which is a Linux PDF reader that has been ported to Windows. Of course, read outside the browser. Or, the next version of Fx will have builtin PDF reader using HTML5.

»projects.gnome.org/evince/

»www.pcworld.com/article/2025153/···ers.html
--
When governments fear people, there is liberty. When the people fear the government, there is tyranny. Thomas Jefferson


Zee5tH

join:2005-09-08
reply to Blackbird

Hi I agree with your philosophy on layered security,what I would like to know first of all I have 2 pc's with Win 7 Home Premium and 2 with XP3.I would like to know which is the better pdf reader Adobe (Current VS)or Fox it.I have both on my default browser Firefox(the latest version),with the plugins disabled.My question is if you go the layered route there are some Brokerage sites that offer research on certain things.I have not gone to the research section since these exploits came out in Adobe or Fox it.I don't want to lose my personal information by opening one of these pdf reports they offer,is there a safe way of opening many research reports in a layered way without giving up any of my info.I hope I explained this the right way.
Thank you.



balloonshark
Lets Go Mountaineers

join:2006-08-11
WV

If by personal information you mean files on your computer you could set up Sandboxie to do this. I use Sandboxie to isolate my internet facing programs from the rest of my computer. When I open my browser it is "sandboxed" and anything I open with it such as a pdf would open and sandbox my pdf reader.

I can also set restrictions as to what can open and have internet access in the sandbox. It's also possible to restrict access to files, folders or partitions by anything running in that sandbox.

Sandboxie is often overlooked but I wouldn't surf without it. My other layers include an AV and 2 on-demand scanners. I also run a HIPS program to alert me in the off chance anything would run without my permission. Recent backups of data are also important.
--
If we quit voting, will they all just go away?


Cronk

join:2005-07-16
reply to Blackbird

said by Blackbird See Profile
Doesn't Chrome have a built-in pdf plug-in viewer that you have to manually disable to stop in-browser viewing? (in the address bar, enter about:plugins > locate Chrome pdf viewer > click Disable)
[/BQUOTE :

OK I'll look into that when I get back on that machine. Thanks


Zee5tH

join:2005-09-08
reply to balloonshark

Where can i get Sandboxie from? Please excuse that I am not familiar with this program.



balloonshark
Lets Go Mountaineers

join:2006-08-11
WV

You can have a look at Sandboxie here. »www.sandboxie.com/
--
If we quit voting, will they all just go away?


Zee5tH

join:2005-09-08

Thank you very much.I will try Sandboxie.If I have any questions I will post them.