PDF Security through Minority

by Dave Kennedy & Kevin Long

With so many defensive mitigations available, losing sleep over the latest Adobe Acrobat and Reader vulnerability just doesn’t add up.

Threat:

• Indeed there are malicious PDFs in the wild. The most recent high-profile example was a successful attack on eWeek’s web site resulting in iFrames offering malicious PDFs, but it’s important to note that these did not use the new vulnerability but rather last November’s.
• Only a small set of targeted attacks using the new vulnerability have been reported.
• An exploit has been posted on one of the “usual suspects” sites.

Mitigations (none are 100% effective, but all contribute to defensive protection):

• Disable JavaScript in Adobe Acrobat and Reader. This stops the known attacks, but does not eliminate the underlying vulnerability in JBIG2 handling. Disabling JavaScript is also effective against other PDF vulnerabilities. If JavaScript is not business-essential, consider disabling it using GPO or other enterprise-wide techniques.
• Anti-virus vendors are updating to detect malicious PDF using the new vulnerability. Some AV were preventing exploitation of this vulnerability since last summer. While AV detection is not perfect, it’s ironic to note eWeek’s blogger is making the most noise about it. Desktop, e-mail gateway and web content AV all participate in effective defense.
• IDS and IPS signatures are available.
• Disable automatic rendering of PDFs in the browser to allow the user time to decide whether to launch a file or not.
• Disable rendering of PDFs in the browser at all. This is another measure forcing the writing of a downloaded PDF to disk before it’s opened thereby giving AV a better chance to detect and block an attack.
• Encourage users to be cautious about PDFs from unknown sources or unsolicited PDFs from anyone.
• Use an alternative PDF handler.

The criminals favor unpatched and widely deployed software. Security through Minority takes advantage of this favoritism and makes non-Adobe PDF handling an effective defensive mitigation. On Apple’s OS X, the default PDF handler is Preview, although installation of Adobe Reader may change this. Foxit Reader is a popular alternative for the Windows environment, as is Sumatra PDF and GSview. Download.com lists 123 results for “pdf reader” and a free license.

Does every one of these mitigations offer absolute protection from any security vulnerability? Maybe not, but they all have the advantage of increasing work for an attacker to find, develop and code a working exploit for an alternative PDF interpreter. The synergy among all of these mitigations make the exposed attack surface much smaller.

With all of these defensive mitigations, an individual user’s or an enterprise’s aggregate residual risk should be acceptable to most IT and InfoSec decision makers. Those who find this risk is unacceptably high should already be restricting PDFs at the perimeter. The risk through MS Office documents is analogous, with similar multiple mitigations and should have the same policy on restriction or multiple-layers of defensive mitigations.

Most enterprises should employ the above mitigating measures, continue to monitor this issue and prepare to deploy the updates beginning in mid-March.

Update: Infection may be easier than we thought, and Larry Seltzer of eWeek may give up on Reader entirely.

Update #2: Foxit Reader was vulnerable but an update and security bulletin were released on March 9th. Two other vulnerabilities were patched with the same update.

Tags: adobe vulnerability, CVE-2009-0658, foxit reader, jbig vulnerability, JBIG2 buffer overflow, jbig2 vulnerability, PDF security, security through minority, VU#905281

This entry was posted on Thursday, March 5th, 2009 at 4:43 pm and is filed under Analysis. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.