How do I keep up with .pdf reader security?

[fortcollins]

This follows <a href="http://www.msfn.org/board/index.php?showtopic=126998">Foxit PDF Reader Support for 98, Number of Foxit stories now at three: yes, no, and maybe</a>

A recent Windows Secrets Newsletter got me concerned about pdf reader security and made me try to use Foxit 3.0.

At http://windowssecrets.com/comp/081120 , "Don't be a victim of Sinowal, the super-Trojan" states:

First of all, most of the Sinowal/Mebroot infections I've heard about got into the afflicted PCs via well-known and already-patched security holes in Adobe Reader, Flash Player, or Apple QuickTime." ...

"Time and time again, however, Sinowal/Mebroot's creators have modified the program well enough to escape detection."

This article is scary, as the article lead:

"The sneaky "drive-by download" known as Sinowal has been, uh, credited with stealing more than 500,000 bank-account passwords, credit-card numbers, and other sensitive financial information"

I don't use QuickTime and my Flash player is the latest 98 version. Needless to say, I don't use IE, Opera instead. However, Adobe pdf exploits leave me concerned because I read many pdf documents. I have used Foxit 2.1 and sometimes Adobe 5.1 when Foxit doesn't work. Occasionally using 5.1 presents am obvious problem. Foxit 2.1 leave me uncertain. The thought has occurred to me that .pdf exploits might work equally well on 98 as XP/Vista.

How do I assure my pdf reading security?

[Sfor]

Since the Sinowall is highly integrated with NT kernel, it seem to be highly unlikely for it to be able to work with DOS based Windows 9x boot sequence.

The Sinowall integrates with Windows NT networking functions. Windows 9x seems to be completely different on that plane.

Edited December 7, 2008 by Sfor

[herbalist]

The thought has occurred to me that .pdf exploits might work equally well on 98 as XP/Vista.

That's quite true. When a specific application is targeted, like Adobe Reader, it doesn't usually matter what OS it's running on. The code will work on that application. This page describes just such an exploit for Adobe Reader and contains a harmless Proof of Concept towards the bottom. It demonstrates very well how code contained in a file can use that application to launch and send commands to another. The PoC works on 9X and NT systems alike. The one exception I found was a 98lite testbox without Internet Explorer installed. The PoC wouldn't function there.

Using code to exploit a specific application like Adobe Reader is only the first step in the infection process. The PoC works by using the exploited application to gain access to another or to an OS component. Most application specific exploits will use a similar method. Whether that exploit code results in a compromised PC depends on what it does next. If the attacker assumes the user has an NT system and tries to compromise the OS directly, it will probably fail on a 9X system. If the code directs the browser to a malicious server that uses scripting to determine the OS, browser, etc of the intended victim, then selects a payload for that system, the chances of its being successful are pretty good.

Leaving AV detection and "don't open the unknown" out of the picture, when a vulnerable application like Adobe Reader for 98 has to be used to open documents that may or may not be infected, the only real way to prevent the apps vulnerabilities from resulting in a compromised system is to isolate the vulnerable application as much as possible from the OS and from other applications. Browser integration, especially with Internet Explorer is a major risk. A malicious PDF opened in Internet Explorer has free access to the core of the operating system. Open PDFs with the reader as a separate process, not in the browser.

On NT systems, the user has many options that can contain or defeat such malicious code, sandboxing apps, HIPS, virtualization software. Many of the available firewalls have application control components that can be used to limit the access of each application to the OS and to other applications. AFAIK, almost all of them will not run on a 9X system. To my knowledge, there's only one security application that can control individual processes and their access to others that runs on 9X, the free version of System Safety Monitor. If anyone knows of another that runs on 9X systems, I'd like to test it. It's hard to avoid suggesting a specific brand when there's only one 9X compatible option. Quite often SSM is described as classic HIPS. IMO, the best way to describe it is a rule based firewall for controlling applications, processes and their interprocess activities. Classic HIPS does not use detections or any kind of definition files. The user has to decide what to allow and block. When configured tightly enough, it can be used to prevent a vulnerable application like Adobe Reader from launching any other process. This would be done in the parent-child settings for that specific process.

SSM and other HIPS software are not total solutions by themselves by any means. They're tools that give the user a level of control over processes that's not otherwise possible in Windows and its "allow anything" design. By making that control part of a policy that blocks the unknown from executing and isolates the attack surfaces as much as possible, it can quite often prevent a compromised application from becoming a compromised system, provided that the user apps and the operating system are configured with the same goal in mind. It's not the easiest program to set up and learn. It requires that the user knows their system and understands what the different processes do and how they interact well enough to make rules that govern their behavior. It will enforce the rules you make without exception. Block a necessary system process and you can lock up your system completely. If you mistake a trojan for a needed system process, it will allow it. That's more than most people want to deal with and is definitely not for the average or casual user. I don't know your abilities or if this is an option you'd want to consider. Before you decide, SSM will not work if KernelEX is installed and it conflicts with Media Player Classic.

Rick

[SeeAScot]

IIRC Acrobat reader was the last version of Acrobat Reader which did not have the ability to execute code from within a pdf document. I seem to remember something about the ability to execute programs from within pdf files being added starting with Acrobat Reader 6.0. However, it is so long since Acrobat 6 came out, that I can't quote the exact place I got the information.

I think that the combination of using Acrobat Reader 5.1 and NOT using IE (especially if you have REMOVED IE with 98Lite) make you relatively impervious to viruses, worms, etc in pdf files.

[herbalist]

5.1 will execute code. I have 5.1 installed on my 98FE box. When I open that PoC with it, it tries to launch Internet Explorer, which then tries to launch my mail handler. This particular PoC does use Internet Explorer and will fail to function if it's not present, but only because IE is part of the demonstration. It could just as easily have sent instructions to something else. Internet Explorer is 98s biggest vulnerability and removing it is the single biggest improvement one can make to 98, but it is not a cure-all. 98 has other weaknesses, starting with no real restrictions on what can execute and no limitations on what those processes can do.

Rick