New Attack Turns PDF Feature Into Liability

by Terrence O'Brien on April 6, 2010 at 02:25 PM

The PDF file, along with its dubious companion Adobe Reader, is known for being one of the weak points in a computer's security. Holes allowing hackers and malware to weasel their ways into a computer are regularly discovered in PDF files and programs. But a new way of highjacking the Adobe and Foxit readers requires no exploiting of holes or bugs; instead, it actually turns an asset of the PDF format into a liability.

These readers' incremental update features allow the execution of programs from within a document. While a user does have to agree to let a program run, hackers can manipulate the dialog box (asking the user for permission) to look legitimate. This could then be used to add malicious code to any and all PDFs on a computer.

The ability of hackers to turn this feature against the user was discovered by Didier Stevens. A week later, Jeremy Conway, a product manager at NitroSecurity, developed a proof of concept attack based on it. Adobe responded to the initial news of Stevens's discovery with some non-specific boiler-plate babble about taking "the security of [its] products and technologies very seriously." Foxit offered more concrete action, telling CNET that it had developed a "fix" in the wake of Conway's proof of concept, and that it would be made public within 72 hours.

CNET also spoke with Conway, who offered some advice to the makers of PDF-reading software. Since most users don't take advantage of the incremental update feature, perhaps the companies could offer "minimalist" viewers that lack this advanced yet exploitable feature. [From: CNET]

http://xml.channel.aol.com/xmlpublisher/fetch.v2.xml?option=expand_relative_urls&dataUrlNodes=uiConfig,feedConfig,entry&id=832312&pid=832311&uts=1270643753

http://cdn.channel.aol.com/cs_feed_v1_6/csfeedwrapper.swf

Ways to Spot E-mail Scams

Getty Images

Ways to Spot E-mail Scams

The increasing flood of e-mail hitting your inbox can lower the guard of even the most cautious person. In the rush to keep up with important notes, it's easier than ever to fall prey to the scam artists and identity thieves who lurk online.

E-mail scams and phishing attempts evolve constantly, hoping to take advantage of the latest trends and current events. Although the e-mails change, the people behind them inadvertently send up the same warning signs again and again. We dug through mountains of spam to find the most prevailing trends. We've collected some actual scam e-mails and highlighted the warning signs to help you spot a hustle the next time one lands in your inbox.

Ways to Spot E-mail Scams

1. Requests for personal information
No legitimate organization will ask for your social security, bank account or PIN number via e-mail – and none will include a link, sending you to a form to enter it. No matter how authentic these emails may look, ignore 'em.

Ways to Spot E-mail Scams

2. Watch for typos or spelling mistakes
Scam artists are street smart, but many flunked basic grammar (or barely speak English). Look for mistakes like inappropriate hyphens or confusing "your" and "you're." If the note has multiple typos or grammatical errors, odds are it's not legitimate.

Ways to Spot E-mail Scams

3. Clickable Web links in e-mails
Don't trust links to Web sites in e-mails. What might look like a legitimate address is often linked to a third-party site that looks official, but is actually run by thieves and scammers. These are the fast track to identity and financial theft.

Ways to Spot E-mail Scams

4. 'Market research' or surveys that ask you for personal information.
Disguising scam e-mails as marketing is a classic ploy. You'll be asked to fill out a survey or enter a contest – requiring you to give personal information or "log on" to your account. Once you've done so, the scammers can use it themselves.

Ways to Spot E-mail Scams

5. Stock tips from random people or companies
Got a "hot stock tip" via e-mail? It's probably a "pump and dump" scheme. The sender already owns shares – and when you and others act on the "tip," the stock price soars and he sells fast – leaving you with virtually worthless shares.

Ways to Spot E-mail Scams

6. Attachments in e-mails from anyone you don't know
It should be common sense, but just in case, we'll remind you again: Don't open an attachment from someone you don't know – even if it appears to be your bank or credit card company. It's almost always a virus or spyware meant to steal your personal information.

Ways to Spot E-mail Scams

7. Wordless e-mails
Some legitimate looking "e-mails" are actually just images. The danger with these is that clicking anywhere in the body takes you to a suspect Web site – where you may be fooled into entering personal information, or the scammer may slip spyware onto your machine.

Ways to Spot E-mail Scams

8. Outdated information
Some scammers like to pose as technical- or customer support from a company you associate with – but fail to keep up with current events. For example, in the example above, the senders forgot that Earthlink bought Mindspring in 2000.

Ways to Spot E-mail Scams

9. Red-flag phrases
If you see the phrases "verify your account," "you have won the lottery" or "if you don't respond within XX hours, your account will be closed," it's a scam – every time. Hit the delete button and don't look back.

Ways to Spot E-mail Scams

Tags: adobe, Adobe Reader, AdobeReader, Foxit, malware, pdf, security, top

Comments

BrianMApr 7th 2010 6:49AM

Neutral

Adobe Software Security = FAIL

Dislike

Report

realcode04Apr 7th 2010 7:42AM

Highly Ranked

Just like Flash player, Acrobat used to be ok. And now, just like Flash, its one of the most bloated, processor hogging pieces of junk produced by Adobe. And the update engine is one of the most annoying things ever produced. That stupid piece of junk fires off at anytime, and almost always when I need my bandwidth the most.

Dislike

Report

MarzboyApr 7th 2010 8:22AM

Highly Ranked

If these hackers--more appropriate to call them 'creatures' are caught, they should be given stiff prison sentences with no mercy or plea bargaining--ZERO.

Dislike

Report

zachApr 7th 2010 9:31AM

Neutral

flash crashes my firefox while playing a game for awhile because it's such a processor rapist. pdf can't even be in the background or my computer is slower than snail walking uphill on ice. i wish there was a way to open pdf files without the use of this software. i'm not even concerned so much about security, because i'm not stupid enough to download something that may be malicious, or to run a program if it asks. i just want a lightweight form that doesn't slow my computer.

Dislike

Report

zachApr 7th 2010 9:32AM

Neutral

Dislike

Report

MillersonApr 7th 2010 9:48AM

Neutral

Does ANYONE have any problems with this using a Mac? My bet is that you are all PC users, because I've never experienced any slowing down, or any viruses of any sort - and I have used my computer in business research all over the world for 20 years now (always with a Mac).

Dislike

Report

wterrietw0000Apr 7th 2010 10:54AM

Neutral

And please King David may we pray her mother board frys. Amen!

Dislike

Report

King DavidApr 7th 2010 11:26AM

Neutral

HA!! Someone took my warning and "Sue's" notice off of the post. Hmmmmm, can someone say "censorship"????? LOL
Your point, and hope, is certainly a good one!!

Dislike

Report

nprophe569Apr 7th 2010 11:48AM

Neutral

I agree I have nothing but trouble with Adobe. I guess the funny part, if there is funny part, I thought I was the only one. I am sure my computer received a virus via Adobe however no one believed me. I will also say I'm getting real tired of a virus passing thru my Norton. I have to get ahold of Norton to clean up the mess and again real funny I'm the only one with the problem.

Dislike

Report

DaveApr 7th 2010 12:28PM

Neutral

Bail Norton, it is a gigantic system hog, probably the worst of all anti-virus software.

McAfee isn't much better. Try Avast, it's free, more effective than those other two that I just mentioned, and light on it's feet. I've heard Avira was really good too.

You'll notice an immediate improvement in your computer's performance besides the fact that those two free apps are actually more effective at blocking viruses than the big names.

Dislike

Report

rare1956tralfazApr 7th 2010 12:26PM

Neutral

And this could affect my Linux system how???

Dislike

Report

KatieApr 7th 2010 1:49PM

Neutral

What tis the fascination with screwing up someone's computer whom you don't even know? Why not take the intelligence you were given and turn it into something good that will benefit mankind instead of destroying perfect strangers property fo rno reason!

Dislike

Report

BillApr 7th 2010 3:30PM

Neutral

We can't punish the computer hackers. If we do, we might hurt their feelings and the 16 years of "feel good about yourself" schooling will have been wasted.

Dislike