Critical PDF Warning

Topic

New Reply

I use Foxit Reader and there is an update with the fix for it here: https://www.foxitsoftware.com/support/security-bulletins.php

New Threats Leave Millions At Risk—Update All PDF Apps Now

https://www.forbes.com/sites/zakdoffman/2019/10/05/critical-pdf-warning-new-threats-leave-millions-at-riskupdate-all-pdf-apps-now/#13013aff739d

 

First to the issues. A team of German researchers has published a paper detailing a new PDF attack they have dubbed “PDFex.” The attack has two variants, but essentially it exploits the ways in which PDF files are encrypted and combine both secure and insecure data. Put simply, the attacker can retrieve the encrypted contents of a PDF document by planting malicious code in either the unencrypted parts or in the code that manages the encryption within the document.

The PDFex researchers’s evaluation “shows that among 27 widely-used PDF viewers, all of them are vulnerable to at least one of those attacks, including popular software such as Adobe Acrobat, Foxit Reader, Evince, Okular, Chrome, and Firefox.”

Quite the list.

Don't take yourself so seriously, no one else does 🙂
All W10 Pro at 22H2,(2 Desktops, 1 Laptop).

5 users thanked author for this post.

DriftyDonN, OscarCP, jburk07, DrBonzo, Fred

Reply | Quote

Replies

Currently, we are not aware of any exploits using our attacks.

Furthermore, due to our responsible disclosure process, most applications already implemented countermeasure against our attack,

https://pdf-insecurity.org/

I can’t imagine a practical scenario for the “PDFex attack”, which requires that code is added to a password-protected PDF before it is opened. And the best example the researchers could come up with is a false notification from Amazon.com of a $1,000,000 refund IF you’re in the habit of receiving password-protected invoice PDFs from Amazon.

But the eight high-severity vulnerabilities specific to Foxit Reader mentioned in the second half of the Forbes article appear to be much more of a concern as they permit remote code execution by infected PDFs, or even web site drive-by downloads:

high-severity flaw in Foxit PDF Reader
A specially crafted PDF document can trigger an out-of-memory condition which isn’t handled properly, resulting in arbitrary code execution. An attacker needs to trick the user to open the malicious file to trigger this vulnerability. If the browser plugin extension is enabled, visiting a malicious site can also trigger the vulnerability.

Multiple Security Vulnerabilities Discovered In Foxit PDF Reader

3 users thanked author for this post.

OscarCP, CADesertRat, DrBonzo

Reply | Quote

The pdf-insecurity site implies that if the version of the reader you are using is later than the version listed in their ‘evaluation’ link, then you are protected. Does anyone know if this is just an implication, or is it actually a fact that you are protected?

Reply | Quote

[CADesertRat]

According to the chart provided of their PoC on a LOT of PDF readers here https://pdf-insecurity.org/signature/evaluation_2018.html#desktop-viewer-applications

They all have have a problem with at least 1 facet. The Amazon PDF was, as you say, an example.

I noticed in the latest Foxit Reader, when you install it, there is a “Safe mode” check mark that you have to accept or decline. It’s checked by default. Just a “Heads Up”, Foxit will try to install a Trial for their Phantom Foxit unless you select not to install it.

Don't take yourself so seriously, no one else does 🙂
All W10 Pro at 22H2,(2 Desktops, 1 Laptop).

• This reply was modified 5 years, 7 months ago by CADesertRat.

1 user thanked author for this post.

OscarCP

Reply | Quote

Using the Web has been increasingly like going for a walk in a war zone and hoping a bullet, a grenade, or a shell will not put you out of existence. That does not mean that we should all stay home all day, permanently, because life must go on, until it doesn’t.

Thanks, CADesertRat, for that link to a list of vulnerable PDF readers. I use “Sumatra” in the Windows 7 PC , not in the list!, and mostly “Preview” in the Mac. However, I don’t know for sure what is that the browsers, that include Chrome and Waterfox (a fork of Mozilla’s FireFox) are using for viewing PDF files available online. I hope their developers will soon patch whatever that is. That goes also for the macOS and Linux versions of those browsers.

At Apple they tend to be always fully in the game, so I wonder if the latest, and quite recent, macOS security update might not have taken care of that, among other things. Anyone here knows something about this?

Ex-Windows user (Win. 98, XP, 7); since mid-2017 using also macOS. Presently on Monterey 12.15 & sometimes running also Linux (Mint).

MacBook Pro circa mid-2015, 15" display, with 16GB 1600 GHz DDR3 RAM, 1 TB SSD, a Haswell architecture Intel CPU with 4 Cores and 8 Threads model i7-4870HQ @ 2.50GHz.
Intel Iris Pro GPU with Built-in Bus, VRAM 1.5 GB, Display 2880 x 1800 Retina, 24-Bit color.
macOS Monterey; browsers: Waterfox "Current", Vivaldi and (now and then) Chrome; security apps. Intego AV

Reply | Quote