PDF exploits shown in this comparison as exceeding Flash based

Discussion in 'Computer Security' started by MEB, Feb 16, 2010.

  1. MEB

    98 Guy Guest

    Meb again is asking for negative proof. He is asking that a negative be
    proved- that something DOES NOT exist or that something DOES NOT happen.

    Either Meb is truely a moron and doesn't understand the concept of a
    negative proof, or he knows that full well but is nonetheless using it
    to support his mindless arguments.

    A negative can usually never be proved unless the scope of the argument
    is sufficiently small. In this case, the scope of the argument (all
    data that can pass between or into any computer on planet earth) is too
    large to rationally ask for a negative proof.

    But this is frequently how MEB responds in an argument. You can never
    ask him for a positive example to prove his point - he will always turn
    it around and ask you to supply a negative proof.
    You have failed time and time again to explain why you do not test
    various threats on your win-98 system and post the results. All you
    ever do is blather on and on and on about the latest flash or adobe
    threats and post CERT pgp keys (god knows why you do that) without
    providing any shread of evidence that those threats or exploits are
    operable on win-98 systems.

    And when others post the observation / suggestion that win-98 users
    apply IE-patch rollups released by Microsoft for win-2k IE6-sp1, you
    froth at the mouth against doing that, claiming it would make win-98
    systems *less* secure.

    You claim that IE6 was never properly "ported" to win-98, but your
    analysis is based on a faulty understanding of dependency walker and a
    faulty understanding of multi-platform DLL's.

    I post most of this here for the benefit of those of you here in
    microsoft.public.security.homeusers for whom MEB is an unknown
    quantity. He is a well-known kook here in m.p.win98.gen_discussion.
     
    98 Guy, Feb 21, 2010
    #21
    1. Advertisements

  2. MEB

    Peter Foldes Guest

    98 Guy

    Do yourself a favor and get a life. You are wrong and you are beating a dead horse.
    Being foolish does not make you look good and your little credibility that you had
    is also going the way of the wind .
     
    Peter Foldes, Feb 21, 2010
    #22
    1. Advertisements

  3. False conclusion, because it is the future you are gambling on. Maybe
    Adobe's code has been tested more rigorously now, and FoxIt's code
    remains to be tested.
    I infer from David's post that he is attesting to the fact that the
    Adobe PDF vulnerability set has many more members than does the FoxIt
    Reader PDF vulnerability set.
    I don't see how that conclusion hinges upon my statement.

    Anyway, even though I don't know anything about either program, I could
    suggest that FoxIt Reader is safer than Adobe's. This is based only on
    my strong suspicion that Adobe's has more lines of code.
    Well, Win98 is practically impervious to any privilege escalation
    exploits.
    Filesystem security sure isn't an issue. :eek:D

    You should ask in the Win98 group. Treat PDFs as you would executables -
    no browser add-on to autorender content - no scripting or "Flash"
    extensions etc...

    .... the devil is in the extensions (usually)
    One thing about 98 and NT versions is that even though an exploit can be
    written that affects all, it is often coupled with shellcode or further
    processing that is OS specific. 98 is becoming less of a target, so
    actual threat decreases. A remote code execution exploit using a PDF
    file may have shellcode to get control of an XP machine while only doing
    a DoS to a 98 machine.

    This doesn't mean that the writer couldn't have just as easily written
    the shellcode part of the exploit for the Win98 machine.
    Another one specifically for the 98 group.
    Have fun with your research, I suspect you will end up with FoxIt being
    the better choice even if it is old and unpatched.
     
    FromTheRafters, Feb 22, 2010
    #23
  4. [...]
    Considering exploits, it is not reasonable to assume that your OS is
    more secure just because an exploit is not operable on it.

    If the vulnerable software falls over, but the OS doesn't recognise the
    shellcode, the system is *still* vulnerable to the exploit. If it is an
    NT specific malware *payload* you might not be vulnerable to the
    payload, but you still are vulnerable to the exploit. It is the exploit
    that delivers the payload (often in the form of shellcode).

    Just because a malware instance can't complete its worm function on a
    Win98 system does not mean it cannot complete its PE infection routine
    and be a virus on Win98.
     
    FromTheRafters, Feb 22, 2010
    #24
  5. MEB

    Anteaus Guest

    A key issue is that of automatic-updaters which install crapware along with
    updates. Adobe are particularly guilty of this. Because of this antisocial
    practice, an increasing number of users are refusing to patch their software.

    In the interests of promoting security, the attaching of crapware to
    security updates should be made illegal. Though, even if that were done
    tomorrow it would take a long time to win back the confidence of users, that
    updates can be trusted.
     
    Anteaus, Feb 24, 2010
    #25
  6. From: "Anteaus" <>


    | A key issue is that of automatic-updaters which install crapware along with
    | updates. Adobe are particularly guilty of this. Because of this antisocial
    | practice, an increasing number of users are refusing to patch their software.

    | In the interests of promoting security, the attaching of crapware to
    | security updates should be made illegal. Though, even if that were done
    | tomorrow it would take a long time to win back the confidence of users, that
    | updates can be trusted.


    Never had a problem downloading updates from the Adobe FTP site and installing them
    without the crapware.
     
    David H. Lipman, Feb 24, 2010
    #26
  7. MEB

    MowGreen Guest

    <rant>
    As if you're a Typical Windows User, David. The TWU will usually install
    anything that's been pre-checked because, for some reason, they trust
    ISVs Security updates.
    Unfortunately, the ISVs define what can be included with Security
    updates and their Users are just supposed to open wide and swallow all
    the unneeded/unwanted "fluff" they attempt to stuff onto their systems.

    So, in effect, the "fluff" pays for the development and distribution of
    Security updates that ISVs need push out for their software.
    There's no incentive for said ISVs to release secure software as they
    can recoup the above funds by installing "fluff" on unsuspecting
    victims' systems

    No sane person should be running Flash Player or Adobe Reader at this
    point in time as it's quite apparent that Adoobie does not care one whit
    about their Users' security but loves to install "fluff" such as McAfee
    Security Scan or a toolbar when purportedly updating either "product".

    </endrant>

    MowGreen
    ================
    *-343-* FDNY
    Never Forgotten
    ================

    banthecheck.com
    "Security updates should *never* have *non-security content* prechecked
     
    MowGreen, Feb 25, 2010
    #27
  8. From: "MowGreen" <>


    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    US-CERT Current Activity

    Adobe Releases a Security Update for Download Manager

    Original release date: February 24, 2010 at 10:01 am Last revised:
    February 24, 2010 at 10:01 am


    Adobe has released a security bulletin to address a vulnerability in the
    Adobe Download Manager. This vulnerability could allow an attacker to
    download and install unauthorized software.

    US-CERT encourages users and administrators to review security bulletin
    APSB10-08 and review the steps to mitigate the issue.

    Relevant Url(s):
    <http://www.adobe.com/support/security/bulletins/apsb10-08.html>

    ====
    This entry is available at
    http://www.us-cert.gov/current/index.html#adobe_releases_a_security_update

    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.4.5 (GNU/Linux)

    iQEVAwUBS4VFby/E9ke+6HGsAQLJ5QgA0PeS9XdVufNPmlS2mmKjziLpjrq2D7k6
    wdzGuI0d36jz3O0AXq9W1oAZJqo2jAwR9hcWV0A18nuPZEBXcjIiBNpPTeUJ8R5d
    KrHz6ilNz2zOK3Ynw9ycz2tjfp7nMA6NBiAp+WCLQ2Fm4PVeOykW7jvV6cyiMR3x
    MaaYe/5XgaOrW6XGhdFuZawRRweCR+trZ6/2jveTTf5P3q4mvf3gxf9cJQdKnqt7
    yoJLNTdUqjoWLXZ/cdu/r89rVanClLrWXmxBxDS+/+3T7oxz+OeFI6ZzgkN1LZRc
    coGLk8lrPqZLe2ylQfhS8K0m5SWu0lodTZFAM5YkYSHoLXbvqtQqWw==
    =h+g8
    -----END PGP SIGNATURE-----
     
    David H. Lipman, Feb 25, 2010
    #28
  9. MEB

    98 Guy Guest

    Top-Poaster Peter Foldes wrote in response to my summary of MEB:
    I'm not sure if you're in agreement about what I said about MEB or if
    you're trying to defend / support him with the above comment.
     
    98 Guy, Feb 25, 2010
    #29
  10. MEB

    98 Guy Guest

    I think you mean payload - not exploit.

    If a given piece of exploit code is not operable on a given platform,
    then how can that platform be vulnerable to the exploit or any
    hypothetical payload / shell-code that might follow? How do you define
    vulnerable in that context?
    But there's no consequence if either or both the exploit or the
    shellcode does not function properly on a given system.

    If the exploit or the shellcode causes the application (or the OS) to
    crash, well that's just a nuisance that's not likely going to be
    repeated by the user.

    I don't really consider DoS's to be a significant or credible threat to
    anonymous end-users (what's the point?).
    Until we see a functional example of an operable PDF exploit AND payload
    for the Win-98/Acrobat-6 combination then we can't be sure *if* there is
    a viable exploit in the first place.
     
    98 Guy, Feb 25, 2010
    #30
  11. MEB

    98 Guy Guest

    Was it necessary to post the PGP key?
     
    98 Guy, Feb 25, 2010
    #31
  12. From: "98 Guy" <>


    | Was it necessary to post the PGP key?

    Was it neccessary to comment on my "quoting" an official US CERT message ?

    I think NOT ! The answer is YES, it was.
     
    David H. Lipman, Feb 25, 2010
    #32
  13. Yes, I meant "threat" not "exploit".
    The exploit in this case is against the application, what follows might
    be OS platform specific. For instance If a demo exploit has a benign
    payload (like executing notepad) it may work for all versions, but if a
    real world exploit calls cmd.exe (which W98 doesn't have) then the
    threat is still valid even though it isn't operable on your OS.
    It could mean the difference between a worm instance being hosted and a
    DoS against the vulnerable application.
    Well then, a DoS exploit is not an exploit to you?
    I suppose you have your own unique definition of payload then?
     
    FromTheRafters, Feb 26, 2010
    #33
  14. MEB

    98 Guy Guest

    To exploit something generally means to make some use of it.

    When a computer is exploited, it means (in this context) that a third
    party is or has gained some use or operational control over it.

    DoS events and exploits are not (to my knowledge) used against the
    average web-surfer, e-mail reader, home or soho user - but instead are
    used against specific machines, servers, etc.

    There are some exploits that have no function other than to cause
    instability or crash a target system (ie- DoS). The use of such
    "exploit" code in that situation will achieve some goal by the attacker,
    but I question if it can be said that the target machine was actually
    "exploited" in the process.
    Where do I say that?

    I'm just saying that there has not been any PDF exploit-code analysis
    that I've ever seen where it was proved or shown that the exploit would
    work on a win-98/acrobat-6 system. And going further, I'm not aware of
    an appropriate payload / shellcode that has ever circulated in the wild
    to go along with such an exploit.
     
    98 Guy, Feb 26, 2010
    #34
  15. Exactly, but what you are exploiting is the vulnerability. You make use
    of the vulnerability to affect a DoS.
    It always starts with a DoS.
    That would be dDoS (distributed DoS) attacks.
    The vulnerability was exploited to do a DoS.
    I inferred it from your evident need for coupling payload with exploit.
    I can agree with that observation.
     
    FromTheRafters, Feb 26, 2010
    #35
  16. MEB

    JosephKK Guest

    You could always switch to any other OS that properly supports the concept.
     
    JosephKK, Mar 19, 2010
    #36
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.