Don't EVER open any unsolicited file you recieve in an e-mail, regardless of file type/extension. I.E. If you didn't specifically ASK someone to send you that particular file, don't open it.
Posted on 12/15/2004 7:00:59 AM PST by holymoly
Acrobat and also Ethereal suffer vulnerability alerts.
Adobe has patched two bugs in its ubiquitous Acrobat Reader application that could allow an attacker to take over a user's system via a malicious pdf file attached to an e-mail message. The bugs affect Windows, Mac OS X and Unix.
Separately, developers warned of bugs in Ethereal, a popular network protocol analyser, that could allow an attacker to take over a system.
Security research company iDefense warned of the bug affecting Windows and Mac in an advisory published on the Bugtraq mailing list late on Tuesday. The problem is a format string vulnerability in version 6.0.2 of Adobe Reader, allowing users to craft a special .etd file that could cause an invalid memory access and allow for the execution of malicious code with the privileges of the user. Reader uses .etd files in handling eBooks.
The bug could be exploited by an e-mail containing either a malicious pdf file or a link to such a file, according to iDefense. The company said earlier versions of Reader 6 could be vulnerable, and said the bug is likely to also affect Adobe Acrobat, the application used to create pdf files.
Adobe released a fix in version 6.0.3 of both Acrobat and Acrobat Reader for Windows and Mac OS X. All the updates are available from Adobe's Web site.
iDefense said users could also work around the problem by deleting the file "C:\Program Files\Adobe\Acrobat 6.0\Reader\plug_ins\eBook.api", which makes Reader and Acrobat unable to handle eBooks.
A similar bug affects Unix. A boundary error in the "mailListIsPdf()" function, which checks to see whether a document in an email is a PDF file, unsafely copies user supplied data into a fixed sized buffer, according to iDefense.
This could allow an attacker to cause a buffer overflow and execute malicious code, the company said. Adobe has fixed the bug in Acrobat Reader version 5.0.9 for Unix, available on its site. iDefense said previous versions of Reader 5 are likely to also be affected. In its advisory, iDefense included a shell script patch users can apply for additional protection.
Ethereal bug
Several bugs were also reported in Ethereal, which claims to be one of the most popular tools for network software and protocol development, troubleshooting and analysis. The bugs can make the application hang, crash or otherwise disrupt a system, and may also allow allow for malicious code execution, Ethereal's developers said.
"It may be possible to make Ethereal crash or run arbitrary code by injecting a purposefully malformed packet onto the wire or by convincing someone to read a malformed packet trace file," the project said in a Wednesday advisory.
The bugs affect versions 0.9.0 up to and including 0.10.7, and are fixed in version 0.10.8. Secunia, which publishes an independent security database, said the problems were "highly critical".
Ping
Ping
What! a secuity alert for the impenetrable Mac and Linux OSs,say it isn't so.
You would then keep all your important stuff on a separate user account that you never connect to the internet with.
Still a bit of a hassle but maybe it's come to that.
That Ethereal bug is fascinating. To think that it could get nailed by a malformed packet - how odd.
With the low cost of computers these days, maybe you should even set up a separate Internet browsing PC. Collected, sanitized information from the Internet could then be transferred over a secure home network to your actual work PC. If your Internet PC gets blown up by a virus, just rebuild it from a Ghost image on a removable hard drive and keep going. The work PC never gets affected.
Except it's not a flaw in Linux, it's a flaw in a vendor-supplied program. And it will only affect my user - oh no, you executed arbitrary code on my computer as user 'pcg'! Horror! I might lose my ENTIRE mozilla cache! Or maybe those .tar.gz files I could download again from the Internet!
Besides, who uses Acrobat Reader in Unix these days with gpdf and xpdf and similar? *yawn*
That's the thing that always gets me. People always make a big deal about how the malicious code only effects the files in the user account. Those are the only files that matter!
I can reinstall the OS, the application code, all the admin level stuff. It's all on disks supplied to me. But the all the unique stuff, everything the user has ever created is by definition accessible to code that has user level permission. I guess in a multiuser environment you can be consoled that only one user gets screwed.
Maybe there are a lot of people that just use their computer as a dumb terminal for connecting to the internet. But I have financial records, web design templates/graphics, reports I've written for graduate school, tons of programing/scripting examples I keep for reference, digital photos, etc.. I keep backups of most of this because this is the stuff that matters!
Slightly OT, but does anyone know how to report malware to MS? I had a colleague (so I thought anyway) send me a jpg by email the other day that was a bit more than it appeared. I did all of the standard stuff...checked extensions before opening, virus-scanned it, etc, and it came up clean, but when I opened it my entire system crashed HARD (explorer GPF'd...something I haven't seen Windows do in years). I ended up having to power-cycle a reboot. When my machine came up clean on a subsequent virus/malware scan, I checked it out a bit more (hey, I'm a computer programmer, so I have a bit of appreciation for a well written, non-destructive hack). I saved the file onto my desktop and when I minimized Outlook to start checking it out...without even opening the file...the system GPF'd again and had to be rebooted. I couldn't even log in to delete the file without it crashing my computer within moments. Booted into safe mode...same thing again.
I ended up having to dust off my boot floppy and delete the file from the command line to get rid of it. A little postmortem seemed to indicate that the JPEG was exploiting some kind of flaw in the feature that Win2k and WinXP utilizes to draw a thumbnail of an image to use as its icon. I'm fully patched up and am pretty sure that this isn't a known bug, but I don't know where this should be reported to. I knew how to delete it, but others may not be so lucky.
Uh, you do back up your data don't you? If not you're waiting to get nailed. It could be something malicious, or a power outage, but you'll buy the farm (computationally speaking) eventually.
Rogue userspace programs are a heck of a lot less dangerous to your system than programs that can set up a spammer daemon, or randomly start attacking other systems on your network.
This is the problem with most windows installations. Far too much code effectively runs as administrator, so when subverted, it is far more dangerous.
I bet the Ethereal bug applies to the Windows version. I couldn't imagine a Linux version of Ethereal having such a bug. If it is the Windows version, I believe they warn that Ethereal running on Windows isn't entirely stable.....it's been awhile since I've downloaded it for Windows, so I could be mistaken.
Exactly. Sure, permissions can help protect against esoteric attacks like replacing system libraries, but for simple stuff like wiping all your documents, or worse, emailing them to somebody in Russia, you don't need any elevated privileges.
The only solution I can see is fine-grained access controls for all applications. If something claim to be a password management utility, it has no business even looking in my address book, let alone opening network connections, and the OS should enforce that.
Nobody claims Linux and Macs are impenetrable, except the strawmen in the minds of Windows advocates.
Uh, if you happen to look at the last sentence in my reply you will see:
"I keep backups of most of this because this is the stuff that matters!"
Exactly. Which is why I also keep backups. But who wants to bother with that whole silly tape or backup hard drive thing - I just back up to my server on the Internet and let THOSE tape backups do their thing, just in case.
I've had one desktop go into storage and two laptops go completely kaput (no little annoying buffer overflow/malicious code injection, but completely dead) in the last couple of years. Never lost a thing. Never had more than about 10 minutes (while I reinstalled Linux) without all of my files. It's a beautiful thing.
BTW, you're right here - user-level permission is enough to wreak havoc on a system. You're also right about the multiuser environment, and I've had to be consoled when one dumb user has his password guessed on our multiuser work machine. So I *am* coming at it from a slightly different perspective...
I'm just poking a little fun at the users of these "superior" alternative OSs.Remember,Bill Gates is the devil, and one can only achieve true enlightenment through Linux or OS X.Actually Operating systems and their vulnerabilitys would be almost a non issue if people would learn a simple golden rule, if it's important to you save it to disk.
I dont keep large amounts of data on my hard drive and never have but if I did I would get a large external hard drive and just unplug it when not in use.Or if you have an old computer laying around the house just use it for stuff you don't need internet access for.You could easily transfer data to it via CDR or other removable media and virus/spyware scan it at both ends.You could even hook both up to a switcher and run them side by side with one monitor,keyboard and mouse.
BUMP!
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.