Foxit Software has issued an update to make it easier for users to spot PDF files that may contain malicious content. Also, Apple has pushed out new versions of QuickTime and iTunes that correct nearly two dozen security problems in those programs.
Last month, researcher Didier Stevens said he’d discovered that he could embed an executable file — such as a malicious program — inside of a PDF file. Worse, Stevens found that PDF readers from Adobe Systems and Foxit contained a feature that would run those embedded files upon request, in some cases without even warning the user.
Stevens found that when he triggered the feature in Adobe Reader the program throws up a warning that launching code could harm the computer (although he also discovered he could change the content of that warning in Adobe Reader).
Foxit, however, displayed no warning at all and executed the action without user approval. According to Stevens, the Foxit fix shipped last week changes the reader so that it now warns users if a PDF document tries to launch an embedded program.
Unlike previous attacks on PDF readers — which can generally be blocked by selecting the option to disable Javascript in the programs — this attack leverages features built into these readers. Adobe Reader contains an option to disable opening non-PDF attachments with external applications (under Preferences, click Trust Manager, and then uncheck the box at the top of the next window). However, I could find no such option in Foxit.
If you are using Foxit, please upgrade to this latest version, which is v. 3.2.1.0401. To update, click the Help menu, and then Check for Updates Now, or download the latest installer from this link here. And if you see a warning like the one above, it might be smart to click the “Do Not Open” button.
In other patch news, Apple has pushed out a security update for its QuickTime and iTunes media players. The QuickTime update, version 7.6.6, fixes at least 16 security flaws affecting both Mac and Windows systems. iTunes 9.1 addresses at least seven security holes for OS X and Windows versions. The patches are available through Software Update on the Mac, through the Apple Software Update package bundled with iTunes/QuickTime on Windows, or via Apple Downloads.
Ok, I’m finally dumping QuickTime and moving to QuickTime Alternative.
I alson uninstalled QuickTime as I cannot even remember the last time I used it. Good ridance!
Do you have to have QuickTime on your PC in order to use iTunes, or will QuickTime Alternative fill that gap? Thanks.
QuickTime is not only required, it is included in iTunes!
From the iTunes download page
http://www.apple.com/itunes/download
“QuickTime 7.6.4 or later is required (included)”
Apple makes some beautiful products. Unfortunately, it is this type of requirement, along with their very closed architecture, that precludes my purchase or use of ANY of their products. 🙁
“jeremy” http://www.sudosecure.net/archives/644 has a PoC to infect one pdf file from another. Imagine all pdfs on your PC getting infected! If you simply need to read pdf without all the bells and whistles of Reader, uninstall Reader and try one these http://pdfreaders.org/
With Foxit, be careful of the installer ‘land mine.’ It’s one of those typical sleazy installers offering to add toolbars, extra shortcuts, and redirect your home page.
Watch what you click.
To avoid the installer and its third party gotchas, go to the Foxit Downloads page at http://www.foxitsoftware.com/downloads/index.php
Under Foxit Reader, to the right of the latest version (typically at the top), click “More download”, scroll down and click the “zip” version.
This contains only the “exe” file, no installer, which you can extract to where you want it and just run it.
Don’t know if it’s the same when the installer was used for installation, but when using just the exe, you will only get an updated exe when checking for newer versions via “Help, Check for Updates Now”. There is never an installation process and thus you don’t have to watch out for the installer gotchas.
I see two potential problems here. The Average User will not know where to extract it. The Average User will extract it to the folder it downloaded in (Desktop? My Documents\Downloads?) and will never delete the downloaded file.
Does it automatically change the file association for .pdf? Again, the Average User is clueless.
Your proposal works for us geeks, however.
Thank you again, Brian. I have old CDs from 2002 that run in QuickTime.
My computer is showing the installed version as 7.66.71.0; is this the same thing?
Just published On Computerworld !!!
Reacting to a demonstration that showed how attackers could force-feed malware to users without exploiting an actual vulnerability, Foxit Software patched its PDF viewer last week.
But the Belgium researcher who showed how hackers could run executable code on a Windows PC from a malformed PDF said today that Foxit’s fix didn’t protect users from his attack tactics.
The April 1 update to Foxit Reader, a popular alternative to Adobe’s own Reader, adds a warning that pops up when a PDF tries to launch an executable, a function that’s permitted by the PDF specification. The change makes Foxit Reader behave similarly to Adobe Reader, which already sports such a warning.
Didier Stevens, the researcher who last week demonstrated a multi-stage attack using the /Launch function, said that his proof-of-concept code — which he has not released to the public — still works when pitted against the updated Foxit Reader.
Avoid the .exe installer for Foxit Reader because it installs the Ask.com toolbar.
The .msi installer for Foxit Reader does not contain the toolbar.
the problem is worse than installing Ask.com. I tried installing the Foxit update and really screwed up my computer. It took me about 3 hours and finally using the system restore facility to get back to usability.
I log on as a Limited User and will not try the update again…my Foxit reader is working fine without it.
EB
Great info, thanks Brian. You wrote:
“Adobe Reader contains an option to disable opening non-PDF attachments with external applications (under Preferences, click Trust Manager, and then uncheck the box at the top of the next window).”
I have a question I’m hoping someone can answer, if I do the above on a WinXP machine using one of two admin accounts will the change be effective for all user/admin accounts? There are 3 user accounts and 2 admin accounts on the machine.
To any responder my thanks in advance.
To answer my own question, the change is only effective for the logged on user. I had to logon to all accounts to change adobe reader settings. Also, nothing prevents my users from changing the settings back….but not that worried as they are not admin accounts & therefore software (trojans) should not install.
the ability to embed an executable inside of a pdf for “malicious” purposes has been available in metasploit for months. credit to colin ames, val smith, and dave kerb (Attack Research)
module: http://www.metasploit.com/modules/exploit/windows/fileformat/adobe_pdf_embedded_exe
paper / presentation: http://www.blackhat.com/html/bh-usa-09/bh-usa-09-archives.html
A few months ago I gave up on Foxit: When you do a manual update you get a very confusing dialog which does not distinguish between bug fixes and paid upgrades.
Earlier I had given up on Adobe Reader when it insisted on downloading a totally unnecessary bloatware download manager, as well as some mystery software called Adobe AIR and Adobe.com. The total installation exceeds 100 megabytes.
I am now using Sumatra, which will fit on a single 3.5″ diskette (remember those?). True, it won’t fill forms, but I have never needed to do that — when that day arrives, I will try something else.
Can anyone say whether Sumatra’s deliberately lean no-frills design reduces its exposure to attack?