The Mac Security Blog
A novel new malware sample affecting Mac OS X has been discovered. It is an application masquerading as a PDF file, which connects to a remote server to download a backdoor. This application displays text, like a PDF, to fool users who open it, and don’t notice what really happens. (The current sample contains Chinese text, but any type of text could be used with this Trojan horse.)
When a user opens the file, the executable goes into action, extracting a different executable, which then downloads a backdoor from a remote server. This first executable only works on Intel-based Macs, and the backdoor does not work on Macs using a case-sensitive file system (which is not the default). The backdoor takes screenshots and sends them to a command and control server, and can perform other actions.
This PDF Trojan horse was not found in the wild, and is most likely simply a proof of concept. Its design is clunky, yet it can work, and does connect to an active server. VirusBarrier X6 users will find that the program’s Anti-Spyware feature would alert them when the first executable attempts to download the backdoor, preventing its installation. Intego VirusBarrier X6 protects against this malware detecting it as OSX/Revir.A, for the Trojan horse part, and OSX/Imuler.A for the backdoor. We consider the threat to be very low, as this is not found in the wild.
Apple has released iOS 4.3.4, an update to the operating system for the iPhone, iPad and iPod touch. This update contains fixes for the PDF vulnerability that allows easy jailbreaking of these devices. Apple has also released iOS 4.2.9 with the same fixes for the CDMA (Verizon) version of the iPhone 4.
These updates are available, as always, via iTunes, when a compatible device is connected, and when you click on Check for Update.
The German IT Agency has issued a security note about a PDF vulnerability affecting Apple’s iOS. This vulnerability is related to the way iOS handles fonts embedded in PDF files, and could allow remote code execution. In other words, loading a malicious PDF file, either received by e-mail, or loaded from a web page, could lead to attackers executing code on an iOS device.
This vulnerability has been used to provide a simple way to jailbreak iOS devices from a web page. (Jailbreaking is a way of hacking the operating system to allow users to access other features and install software not available through the iTunes Store.) Intego strongly recommends against jailbreaking iOS devices, as this opens them to a number of security risks.
Apple should release a security update to iOS in the near future to deal with this vulnerability. In the meantime, users are advised to avoid downloading or viewing PDF files from untrusted sources on their iOS devices.
The Firefox web browser is planning to add a built-in PDF display framework built around HTML5 and JavaScript in future versions. Given that many users view PDFs on the web, and that some browsers – notably Firefox – either open these files in PDF viewers such as Preview or Adobe Reader, this solution removes the need for plug-ins that display PDFs in the browser.
Apple’s Safari integrates well with Apple’s PDF viewing framework, display PDFs users click on in a Safari window. Those who use Adobe Reader or Acrobat can add plug-ins, for Safari, Firefox, or other browsers, to do the same thing. But Firefox will avoid the plug-in issue by integrating a PDF display framework in the browser.
This is useful not only for making PDFs easier to read, but also by improving security. There are regularly flaws in Adobe Reader and Acrobat, given the ubiquity of these programs, and the ease of creating malicious PDF files that exploit such vulnerabilities. With a built-in PDF viewing framework, security is enhanced.
From a security perspective, this enlarges the trusted code base, and because of that Google’s Chrome browser goes through quite some pain to sandbox the PDF renderer to avoid code injection attacks. An HTML5-based implementation is completely immune to this class of problems. [...] pdf.js uses only safe web languages and doesn’t contain any native code pieces attackers could exploit.
For now, there is no date as to when this will be available in Firefox, but it will certainly be a valuable addition to the browser.
In a recent presentation to the Chaos Communication Congress in Berlin, security researcher Julia Wolf highlighted a number of “features” of the PDF format that could lead to serious security issues. Wolf showed that a PDF could contain a database scanner that could “scan a network when the document is printed on a network printer,” and that PDFs could “blindly trigger the execution of arbitrary programs in Acrobat Reader.” PDFs also support “inherently insecure script languages such as JavaScript, formats such as XML, RFID tags and digital rights management (DRM) technologies.”
In addition, PDFs are such that data can be hidden in many places within files. Document and metadata can be read and modified using Javascript, and compressed files, such as ZIP files, could be incorporated inside PDFs. In short, the PDF format, designed to retain layout across platforms, has been turned into a kitchen-sink format that does far too much, and this overloading of features leads to potential security issues.
Adobe plans to use sandboxing in the next version of its Reader and Acrobat software, but it’s not clear whether this will be enough to mitigate some of the possible exploits that can be used in PDFs.
So, once again, we strongly recommend that Mac users use Preview to view PDFs, unless they absolutely need features present in Adobe’s software.
Computerworld is reporting on a new problem with Adobe Acrobat and Reader software. Initially presented about ten days ago by security researcher Didier Stevens on his blog, this attack uses no underhanded tricks to perform its nefarious action. It simply uses a “feature” of Adobe’s PDF reader software that allows PDFs to contain instructions to open applications and execute code. Getting people to open the PDFs in question is one of social engineering, because they lead to a message being displayed by the software. However, the hacker creating the PDF can create the wording of this message, leading to the possibility that people will be tricked.
Adobe is as reticent about turning this off as they are about Javascript, another vector of attack. While there is a preference that can be turned off to protect from this “feature” – in Trust Manager preferences, uncheck “Allow opening of non-PDF file attachments with external applications” – most users won’t make this change, or even know about it.
Well, you know about it, so go change the preferences in your Adobe PDF software. Or, just use the easy solution: Apple’s Preview instead of Adobe Acrobat or Reader.