Friday, October 10, 2014

Locking down Adobe Reader to prevent PDF vulnerabilities, as much as possible

Adobe PDF vulnerabilities rising risk - why?

This was primarily due to increased exploitation of vulnerabilities in Adobe Reader and Adobe Acrobat software, as shown in Figure 2 from (
Figure 2: Computers affected with exploits for document readers and editors
Win32/Pdfjsc virus was the significant contributor to the rise in 4Q12. It is a family of specially crafted PDF files that exploit Adobe Acrobat (Creator) and Adobe Reader vulnerabilities. 

How you get infected? A brief explanation 

1) Adobe Reader, like many other document applications can be scripted for added functionality. 

In the case of Microsoft Office, adding functionality is added via macros using Visual Basic scripting language and now scripting is turned off by default for new installs. (But this has been a long sore spot for Microsoft, and is one of motivations  of moving Office365 into the cloud which prevents all of this. Open a bad document will infecting the "cloud" (ha-choo-d) and not your local machine). Adobe Reader specifically uses Javascript as their "macro" language. Note, this script can run on Mac and Windows, so don't kid your self that Macs are safer.  Also, these scripting vulnerabilities are not limited to two aforementioned companies, they are just the most popular and therefore best payout targets for hackers. OpenOffice uses Basic as their scripting language, Apples' Keynote, Numbers, and Pages use Applescript, and many text editors or IDEs have their own macro language. 

2) Adobe Reader is trusted once installed, so macros can be programmed to bad things in a trusted state

Just the simple act of opening the PDF file could exploit a vulnerability to automatically download malicious code from the internet, and display a decoy PDF file to trick you into believing that nothing wrong has happened. Since Adobe Acrobat, is installed and fully trusted, all the permission have been set in your OS and usually your antivirus and firewall. Moreover, they launch sub-programs that use command line that is trusted to run scripts etc. These downloaded programs "should" be picked-off by the best anti-virus programs, but clearly they are falling behind to the onslaught of these craft payloads.

Again, these donwloaded PDF files contain a JavaScript that executes when the file is opened. The embedded JavaScript may contain malicious instructions, such as commands to download and install other malware. Files that use the Win32/Pdfjsc hack may arrive in the system when a user visits a compromised or malicious webpage, or opens a malicious PDF email attachment.

Upload questionable PDFs to an online drive

An easy solution is to use   Microsoft OneDrive  or   Google Drive and upload the PDF and open it there! Do this for any questionable PDFs. I would recommend doing that with any questionable document such as Word, PowerPoint, Excel, etc.

If your default browser is  Microsoft Internet Explorer you may have do some work to just download a PDF directly to your hard drive, without opening in default Adobe Reader first. Check out this article: to do that and it also works for IE 11 as well. 

Additionally, there are "PDF Scanners" you can use to scan for PDF vulnerabilities, see this article (scroll to end for a good list of free software, you have to be technically declined;).

Good News - Stop PDF's running malicious macros
Here's how to lock down Adobe Reader. The first 2 are essential and set a firewall rule to block Adobe Reader completely.

1) Disable Adobe Reader using Javascript - it's a preference!
    In Adobe Reader choose Edit->Preferences to get the following window

2) Block PDFs Connecting to external sites in Adobe Reader

While in Preference, select Trust Manager and do 
a) Uncheck "Allow opening of non-PDF file attachments with external applications".
b) In Change Settings, check "Block PDF files access to web sites"  

3) Security (Enhanced) setting turn off "Automatically trust site from my Win/Mac OS security zones". this prevents the demonstrated a social engineering attack, which relies on the “/launch” functionality as described in the PDF specification (ISO PDF 32000-1:2008) under section 

4)  Multimedia Trust (legacy) setting turn off "Allow multimedia operations", this disables Adobe Flash Player and others from being used (another hugely exploited program, someone seeing a patter here with Adobe ?)

5) Online Services setting turn off "Always connect when opening documents enabled for live collaboration"

6) Tracker set to Never

Additional steps to lock down Adobe Reader

1) Add an outbound rule to Adobe Reader in Windows Firewall to block it going to internet. While you are there add an inbound rule as well.

2) Note Microsoft Windows only allows one active firewall at a time,  This means if your anti-virus solution has a firewall it will overrule MS firewall.  Here's how to set a firewall rule in Kapersky

No comments:

Post a Comment