PDF exploits shown in this comparison as exceeding Flash based

Discussion in 'Computer Security' started by MEB, Feb 16, 2010.

  1. MEB

    MEB Guest

    Excuse the cross post, however, Windows 9X [being left out of the
    updating process] is just as vulnerable, if not more, than using
    outdated applications in other OSs.

    A basic explanation is found here:
    http://blogs.zdnet.com/security/?p=5473&tag=nl.e539

    I suggest following the linked materials, and further research into the
    various methods being used.
    NOTE: that the use of "traffic optimization", which is running programs
    to detect the available exploitable aspects in any given OS and/or
    system, has increased, and is now the preferred method being used for
    malicious activity distribution purposes.

    --
    MEB
    http://peoplescounsel.org/ref/windows-main.htm
    Windows Info, Diagnostics, Security, Networking
    http://peoplescounsel.org
    The "real world" of Law, Justice, and Government
    ___---
     
    MEB, Feb 16, 2010
    #1
    1. Advertisements

  2. MEB

    Jesper Ravn Guest

    Hello

    To me it's just another fuzz story from a mainstream security magazine/blog,
    that don't focus on a good prevention strategy.
    All they care about is the scary headline and the same boring conclusion
    about Firefox......

    I really miss the word's "principle of least privilege" and "deny-all
    policies" in the security debate today.

    /Jesper
     
    Jesper Ravn, Feb 16, 2010
    #2
    1. Advertisements

  3. From: "MEB" <>


    | Excuse the cross post, however, Windows 9X [being left out of the
    | updating process] is just as vulnerable, if not more, than using
    | outdated applications in other OSs.

    | A basic explanation is found here:
    | http://blogs.zdnet.com/security/?p=5473&tag=nl.e539

    | I suggest following the linked materials, and further research into the
    | various methods being used.
    | NOTE: that the use of "traffic optimization", which is running programs
    | to detect the available exploitable aspects in any given OS and/or
    | system, has increased, and is now the preferred method being used for
    | malicious activity distribution purposes.


    Updates for Adobe Reader and Adobe Acrobat were posted Today.

    Adobe Reader/Acrobat V9.1.3 and v8.2.1
     
    David H. Lipman, Feb 16, 2010
    #3
  4. From: "Jesper Ravn" <>

    | Hello

    | To me it's just another fuzz story from a mainstream security magazine/blog,
    | that don't focus on a good prevention strategy.
    | All they care about is the scary headline and the same boring conclusion
    | about Firefox......

    | I really miss the word's "principle of least privilege" and "deny-all
    | policies" in the security debate today.

    | /Jesper

    Exploitation of PDF vulnerabilities is a very REAL and present problem. I have seen
    NUMEROUS malcious PDF files and I have seen numerous web sites using PDF exploit code.

    I'll be hones, I did not readet the ZiffDavis blog but, I know what it is based upon and
    the threat is real.
     
    David H. Lipman, Feb 16, 2010
    #4
  5. MEB

    Jesper Ravn Guest

    Hi David

    Yes I know its a real problem. But the basic prevention against "remote code
    execution" is the same.
    Secure your browser (disable/promt javascript - disable adobe plugins).

    If that is not convenient for you, go with a one time setup like LUA/SRP (no
    need for ongoing adjustment/tweaks)

    Another approach could be an application like Anti-Executable from Faronics.
    It a simple stand-alone applikation where the deny-all policy takes place.
    For the average user it's an easy setup and go. No need to learn anything
    about basic security :).
    To bad it's not freeware anymore.

    /Jesper
     
    Jesper Ravn, Feb 17, 2010
    #5
  6. MEB

    MEB Guest

    Well, I would love to say that will take care of the PDF issues, but we
    all know it won't. The allowance of internal coding, external linking,
    and other now allowed within the PDF format is the problem. Were this a
    world where people weren't trying "to make a buck" anyway they can, we
    might be able to consider that these WILL solve the problems; but people
    are what they are; money, desire for fame in some form, and all of those
    not so acceptable human factors rule the day.
    So how many of these SUPPOSED PDF vulnerabilities and fixes is that
    now, 30, 40, 50, ??

    The article and more importantly the linked materials also describes
    other forms now being used beyond PDF, and that the methodology has
    significantly changed to avoid detection with increased polymorphic
    techniques, or even farther beyond the previous normal attack vectors
    where single hack styles may have been involved, to the point of probing
    the individuals system for ANY and ALL vulnerabilities once ANY entry
    point is found and proofed.

    --
    MEB
    http://peoplescounsel.org/ref/windows-main.htm
    Windows Info, Diagnostics, Security, Networking
    http://peoplescounsel.org
    The "real world" of Law, Justice, and Government
    ___---
     
    MEB, Feb 17, 2010
    #6
  7. MEB

    MEB Guest

    Ah, huh, Firefox?? oh when they mention No Script pluggin?

    Boring? When banks and accounts are being drained; when ID theft and
    other credit theft is running rampant; when even the most secured sites
    and devices are regularly take out/down... okay maybe that is boring to
    you. Maybe if a little blood and gore was involved...
    If it is so boring why are you monitoring the group?

    Better still, why don't you outline a prevention strategy which you
    think will protect the users and post it here. Perhaps we can then
    critique the techniques and work up something that might be truly
    helpful. And I'm not trying to put you "on the spot", but it is a
    serious discussion sorely needed.

    --
    MEB
    http://peoplescounsel.org/ref/windows-main.htm
    Windows Info, Diagnostics, Security, Networking
    http://peoplescounsel.org
    The "real world" of Law, Justice, and Government
    ___---
     
    MEB, Feb 17, 2010
    #7
  8. From: "J. P. Gilliver (John)" <>

    | Do these exploits affect Foxit (either current versions or the last one
    | that works with '98), rather than Adobe?


    The latest ones ? No.

    Previous one or two, yes.

    What version of FoxIt Reader are you using ?
     
    David H. Lipman, Feb 18, 2010
    #8
  9. MEB

    98 Guy Guest

    I continue to NOT see credible evidence that PDF exploits discovered
    during and since 2007 are applicable or compatible with Acrobat 6.x.
    I've tried many of the published pdf POC during the past year or two and
    have seen no evidence that they function correctly when exposed to
    Acrobat 6.x running on Win-98se.
     
    98 Guy, Feb 18, 2010
    #9
  10. MEB

    MEB Guest

    As I have explained AND directed you to before:
    You are using the "published" *example* code or the specifically coded
    NT exploit to make this bold statement.
    This in no way indicates that these exploitable aspects can not work or
    be leveraged in Adobe Reader 6 or any earlier versions in the Win9X or
    other OSs which support the inclusion of code, internal or external
    linking, prefetch activities, and/or the other factors which apply when
    addressing these issues.
    The *hack packs* being distributed and methodology now being employed
    look/probe for ANY vulnerability within any given system; meaning IF
    there is an exploitable flaw/vulnerability during the contact, the
    likelihood is it will be discovered. The PDF format is filled with
    addressable flaws/vulnerabilities due to all the functions/inclusions
    allowed within it; and these are merely the entry point.
    To presume that the PDF format and Reader 6 is not being leveraged is
    unintelligent and fails to give credit or consideration to the known
    activities hackers now employ. As Win9X needs no services crash or
    memory corruption to effectuate elevation of privileges or "root" access
    as in the NTs, it is far more sensible to presume that not only the
    known existing Reader 6 vulnerabilities are being used, but that new
    forms are being discovered and used, particularly when taken with
    consideration of the polymorphic activities and *per system* hacker
    activity being employed.
    On the other hand, Adobe Reader 6 does NOT allow many of the extended
    activities that 7 and above do, so there are limits and some of these
    specific vulnerabilities may not exist; though again, that in *no way*
    means that the known or new and unpublished vulnerabilities/exploits are
    not still be used/leveraged against Reader 6 [or being modified to avoid
    detection], or which applied in Win9X, or within the other OSs.
    A perfect example would be the recent activity regarding the rootkit
    causing BSoDs and the Microsoft updates, where within hours of the
    release of the patches, the rootkit was modified and distributed to NOT
    cause the BSoD, thereby allowing the patches WITHOUT the rootkit being
    discovered due to the BSoD.

    BSOD after MS10-015? TDL3 authors "apologize" - Feb. 16 2010
    http://www.prevx.com/blog/143/BSOD-after-MS-TDL-authors-apologize.html

    To assume that Win9X hacks or applicable to the applications used
    within it are not also being modified is ludicrous. In the hacker world
    Win9X hacks are "kiddie hacks" meaning what hackers once cut their teeth
    on, being so easy to accomplish. Moreover, one should NOT overlook the
    main issues the NT patch was addressing [the kernel patch], which
    addressed the 16bit coding support and DOS base access, both of which
    are inherent in Win9X. There should be a "duuuuhhhh" moment, the "light
    turning on" here...

    So to put it bluntly: your "have not seen credible" means zip. nada. It
    happens to be what you DON'T see that is being used to hack the millions
    of computers. And the above "you" includes the supposed protections like
    AV which are being bypassed by the present exploits and malware.

    --
    MEB
    http://peoplescounsel.org/ref/windows-main.htm
    Windows Info, Diagnostics, Security, Networking
    http://peoplescounsel.org
    The "real world" of Law, Justice, and Government
    ___---
     
    MEB, Feb 18, 2010
    #10
  11. From: "98 Guy" <>


    | I continue to NOT see credible evidence that PDF exploits discovered
    | during and since 2007 are applicable or compatible with Acrobat 6.x.
    | I've tried many of the published pdf POC during the past year or two and
    | have seen no evidence that they function correctly when exposed to
    | Acrobat 6.x running on Win-98se.

    Acrobat/Reader 7 on Win9x/ME can be successfully exploited.

    Adobe has already dropped support for Adobe 6 and is dropping support on v7. Minimum
    version supported now is 8.
     
    David H. Lipman, Feb 18, 2010
    #11
  12. MEB

    98 Guy Guest

    Acrobat Reader 7 can't be installed on Win9x/me.

    Reader 6 is the last version that's installable on 9x/me.
     
    98 Guy, Feb 19, 2010
    #12
  13. From: "98 Guy" <>


    | Acrobat Reader 7 can't be installed on Win9x/me.

    | Reader 6 is the last version that's installable on 9x/me.

    Mea culpa :-(
     
    David H. Lipman, Feb 19, 2010
    #13
  14. MEB

    MEB Guest

    Hmm, that went nowhere, okay how about we take a look at HOW some of
    these things are setup, WHAT is used, and WHAT the intent is.

    Perhaps an inside look at some of the current botnets, what makes them
    up, some of the methodology being employed, and how it relates to some
    of the supposed "just merely malware", might start the needed discussion
    [of course still attempting to bring the linked materials from the
    original article into the discussion as well].

    Let's start with one additional security related blog [though again I
    recommend following the links for deeper background and further
    information]:

    http://ddanchev.blogspot.com/search?updated-min=2010-01-01T00%3A00%3A00%2B01%3A00&updated-max=2011-01-01T00%3A00%3A00%2B01%3A00&max-results=15

    --
    MEB
    http://peoplescounsel.org/ref/windows-main.htm
    Windows Info, Diagnostics, Security, Networking
    http://peoplescounsel.org
    The "real world" of Law, Justice, and Government
    ___---
     
    MEB, Feb 20, 2010
    #14
  15. From: "J. P. Gilliver (John)" <>

    | In message <>, David H. Lipman

    | Sorry, do you mean:

    | The latest exploits don't affect Foxit but previous ones do

    | or

    | The latest (98-compatible?) Foxit is OK but previous ones aren't

    | ?


    | Oops, another thing on my "to do" list for this (XP) machine. Can't
    | remember what version of Foxit I'm using on my '98 machine(s), but they
    | rarely go online these days. I was asking more for others' benefit, in
    | that if Foxit _is_ safe, then I'd thoroughly recommend it as an
    | alternative anyway - it seems to me far better behaved than Acrobat
    | Reader.


    There are some PDF vulnerabilities that FoxIt is vulnerable to and some that both Adobe
    and FoxIt are vulnerable to.
     
    David H. Lipman, Feb 20, 2010
    #15
  16. It sounds like a logical assumption.

    http://www.foxitsoftware.com/pdf/reader/security.htm
     
    FromTheRafters, Feb 20, 2010
    #16
  17. From: "J. P. Gilliver (John)" <>

    | In message <Oq7xb$>, David H. Lipman

    | Is the former a subset of the latter (i. e. Foxit is vulnerable to some,
    | and Adobe to those and more), or are they overlapping sets (such that
    | there are some Foxit is vulnerable to that Adobe is _not_)?


    FoxIt suffers from a subset (so to speak) of the greater amount of vulnerabilities that
    afflict Adobe Reader/Acrobat.
     
    David H. Lipman, Feb 20, 2010
    #17
  18. I think he's asking a math question.

    To define his "sets" he may need to clarify some things. The
    vulnerability is in the software used to process the PDF format files
    and implement their extensions.

    Some vulnerabilities may be for Foxit *only*, some for Adobe *only* and
    some for *both*. Intersecting sets.
     
    FromTheRafters, Feb 20, 2010
    #18
  19. You may not be aware that there is an ongoing campaign to introduce as much
    irrelevant material as possible, particularly if it relates to security,
    into the W98 groups, mostly by casual addition of the W98 groups to postings
    in groups related to other versions of Windows. This is done purely to
    enhance the status of several trolls who think they are making themselves
    appear knowledgeable about W98. All they are doing is completely confusing
    the W98 users and creating flame wars which are then fanned as much as
    possible. It would be helpful to the W98 groups if this irrelevant
    crossposting was removed before replying.

    Thanks,
     
    Jeff Richards, Feb 21, 2010
    #19
  20. MEB

    MEB Guest

    Excuse me, do you have something you wish to say.
    Please show us how knowledgeable you are Jeff.

    Show us WITH SPECIFICS, that Win98 hacks are not being used and Windows
    98 users can rest assured that parties like you are providing the
    information they need to protect themselves while on the Internet when
    confronted with PDFs, Flash, JAVA, email attacks, and other factors one
    finds out here.
    While you are explaining these facts [per your thoughts] please explain
    your prior support of installation of IE6 files from Win2K AFTER the EOL
    of Win98 as recently as the 10th month of last year, into the Win98 OS
    and how it would/will protect Win98 users.

    Or is it that you believe Win98 users should be "kept in the dark" and
    continue to be provided with false information regarding their security
    by those apparently without the comprehension to understand the threats
    involved?

    --
    MEB
    http://peoplescounsel.org/ref/windows-main.htm
    Windows Info, Diagnostics, Security, Networking
    http://peoplescounsel.org
    The "real world" of Law, Justice, and Government
    ___---
     
    MEB, Feb 21, 2010
    #20
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.