Friday, March 6, 2009

PDF exploit is BIG ... JBIG

Forget everything you thought you knew about computer security ... if I don't visit "bad" sites ... if I don't actually open that attachment ... if I just keep my antivirus up-to-date ... if I have a firewall ... nothing bad can happen, right?


Drive-by browser infections are nothing new, cross-site scripting, identity theft, SSL spoofing/man-in-the-middle attacks (think that credit card transaction is safe?) are all part of the new Web 2.0 landscape.

What you don't know will definitely hurt you.

The lastest PDF vulnerability for Adobe Acrobat shows that all it takes is single clicking, hovering over the icon, or viewing in thumbnail mode to get pwned.

Didier Stevens details this latest trio of attacks using the JBIG2Decode vulnerability:

So how is it possible to exploit this vulnerability in a PDF document without having the user open this document? The answer lies in Windows Explorer Shell Extensions.

In the first demo, I just select the PDF document with one click. This is enough to exploit the vulnerability, because the PDF document is implicitly read to gather extra information.

In the second demo, I change the view to Thumbnails view. In a thumbnail view, the first page of a PDF document is rendered to be displayed in a thumbnail. Rendering the first page implies reading the PDF document, and hence triggering the vulnerability.

In the third demo, I use my special PDF document with the malformed stream object in the metadata. When I hover with the mouse cursor over the document (I don’t click), a tooltip will appear with the file properties and metadata. But with my specially crafted PDF document, the vulnerability is triggered because the metadata is read to display the tooltip…

So be very careful when you handle malicious files. You could execute it inadvertently, even without double-clicking the file. That’s why I always change the extension of malware (trojan.exe becomes trojan.exe.virus) and handle them in an isolated virus lab. Outside of that lab, I encrypt the malware.

No comments:


Related Posts with Thumbnails