[conspire] Post Mortum legal explosion
rick at linuxmafia.com
Wed Jan 23 22:39:59 PST 2013
Just as a brief follow-up on the Gozi / PDF thing:
> My point about execution vs. aftereffects is that the fruitful and
> systematic approach to undesirable code of all kinds (including
> 'malware') is to take systematic steps to simply avoid running it.
> (Eschewing MSIE helps. Exchewing MS-Windows helps more.)
> How, you might ask, does opening a PDF file run anything? Good
> question. It shouldn't.
> Unspecified vulnerability in Adobe Acrobat and Reader 8.1 on Windows
> allows remote attackers to execute arbitrary code via a crafted PDF
> file, related to the mailto: option and Internet Explorer 7 on Windows
> XP. NOTE: this information is based upon a vague pre-advisory by a
> reliable researcher.
> So, what's up with Adobe Acrobat [Reader] software? In short, it's
> buggy overfeatured rubbish that should not in a million years be
> permitted to handle files off the Internet.
But remember, I also implied that MS-Windows is part of the problem, and
it is. Seems like this 2007(!) flaw in MSIE7 in XP and Windows Server
2003 is involved:
Installing Microsoft Internet Explorer (IE) 7 on Windows XP or
Server 2003 changes the way Windows handles Uniform Resource Identifiers
(URIs). This change has introduced a flaw that can cause Windows to
incorrectly determine the appropriate handler for the protocol specified
in a URI. By creating a specially crafted URI in a PDF document, an
attacker can execute arbitrary commands on a vulnerable system.
Basically, if you pull down one of those PDFs and click on what appears
to be a URL inside the PDF text, and MSIE7 for Windows happens to be the
Web browser your PDF viewer calls for that purpose, then MSIE screws up
because it _lacks proper input validation_.
It misparses the embedded URI and so what looks like, say, a mailto:
link in the PDF might contain a request that MSIE invoke CMD.EXE as the
'handler' -- and MSIE is dumb enough to do it. In 2007, Microsoft
released a patch for this stuff that provided a new version of
Shell32.dll that actually bothered to do input validation on URIs for a
So, although Adobe Acrobat [Reader] _is_ overfeatured rubbish, that was
not the key problem here, and people running dangerously old, unpatched
Windows XP/MSIE7 in 2007-2013 would have a problem regardless of choice
of PDF-reading software (as long as it blithely passed off URIs to
Points to notice:
1. Failure to validate public data is a very damning programming flaw
(this one being in MSIE7 code).
2. And Microsoft uses pieces of MSIE all over the place as a 'system'
component in MS-Windows, so it is/was a system-wide MS-Windows
3. 2007 issue, long patched, and yet some fools apparently still
tripped over it for years thereafter. Many MS-Windows 'exploits'
are like that.
4. Linux typically has much cleaner distinctions between system
layers and better modularity, so this sort of swiss-cheesing
is very rare.
More information about the conspire