[conspire] Post Mortum legal explosion

Rick Moen rick at linuxmafia.com
Wed Jan 23 22:39:59 PST 2013 

Just as a brief follow-up on the Gozi / PDF thing:

> My point about execution vs. aftereffects is that the fruitful and
> systematic approach to undesirable code of all kinds (including
> 'malware') is to take systematic steps to simply avoid running it.
> (Eschewing MSIE helps.  Exchewing MS-Windows helps more.)  
[...]
> How, you might ask, does opening a PDF file run anything?  Good
> question.  It shouldn't.
[...]
>   Unspecified vulnerability in Adobe Acrobat and Reader 8.1 on Windows
>   allows remote attackers to execute arbitrary code via a crafted PDF
>   file, related to the mailto: option and Internet Explorer 7 on Windows
>   XP. NOTE: this information is based upon a vague pre-advisory by a
>   reliable researcher.
> 
> So, what's up with Adobe Acrobat [Reader] software?  In short, it's
> buggy overfeatured rubbish that should not in a million years be
> permitted to handle files off the Internet.

But remember, I also implied that MS-Windows is part of the problem, and
it is.  Seems like this 2007(!) flaw in MSIE7 in XP and Windows Server
2003 is involved:

  Installing Microsoft Internet Explorer (IE) 7 on Windows XP or
  Server 2003 changes the way Windows handles Uniform Resource Identifiers
  (URIs). This change has introduced a flaw that can cause Windows to
  incorrectly determine the appropriate handler for the protocol specified
  in a URI. By creating a specially crafted URI in a PDF document, an
  attacker can execute arbitrary commands on a vulnerable system.

Basically, if you pull down one of those PDFs and click on what appears
to be a URL inside the PDF text, and MSIE7 for Windows happens to be the 
Web browser your PDF viewer calls for that purpose, then MSIE screws up
because it _lacks proper input validation_.

It misparses the embedded URI and so what looks like, say, a mailto:
link in the PDF might contain a request that MSIE invoke CMD.EXE as the
'handler' -- and MSIE is dumb enough to do it.  In 2007, Microsoft
released a patch for this stuff that provided a new version of
Shell32.dll that actually bothered to do input validation on URIs for a
change.

So, although Adobe Acrobat [Reader] _is_ overfeatured rubbish, that was
not the key problem here, and people running dangerously old, unpatched
Windows XP/MSIE7 in 2007-2013 would have a problem regardless of choice
of PDF-reading software (as long as it blithely passed off URIs to
MSIE7).

Points to notice:  

1.  Failure to validate public data is a very damning programming flaw
    (this one being in MSIE7 code).
2.  And Microsoft uses pieces of MSIE all over the place as a 'system' 
    component in MS-Windows, so it is/was a system-wide MS-Windows
    problem.
3.  2007 issue, long patched, and yet some fools apparently still 
    tripped over it for years thereafter.  Many MS-Windows 'exploits'
    are like that.
4.  Linux typically has much cleaner distinctions between system
    layers and better modularity, so this sort of swiss-cheesing
    is very rare.

More information about the conspire mailing list