Booby-Trapped PDFs

Back in February,I posted a note here about a study showing that the most popular vehicle for Web-based malicious software was Adobe’s PDF document format.  Software to read this format is very widely installed, across all major platforms (Adobe’s own Reader product is available for Windows, Linux, Mac OS X, and Solaris).  So, I have argued, it is not hard to understand why malicious PDF files are popular with the Bad Guys.

I’m afraid that they’re likely to get even more popular.  A Belgian security researcher, Didier Stevens, has discovered a technique for embedding executable content in a PDF file, so that it will be run automatically when the file is opened.  What makes this technique both novel and worrying is that it does not exploit a security vulnerability.  Instead, it uses a “feature” of the PDF specification that allows the document to specify a “Launch Action” to be executed when the document is opened.  (This is somewhat analogous to the old AUTOEXEC.BAT facility in MS-DOS.)

As M. Stevens discusses in his blog post, opening the file with Adobe Reader results in the display of a warning message; since the document can specify part of the message, he suggests that clever social engineering could result in quite a few clicks on OK.  Some other PDF readers (e.g., Foxit) just silently execute the code without any warning at all.   Stevens’s technique does not use JavaScript, a popular PDF attack vector, at all, so disabling JavaScript, a commonly recommended precaution, will not help at all.   Adobe and other software vendors cannot issue a patch, in the usual sense, because there is no bug in the software being exploited; the flaw is in the specification of the PDF document format.

M. Stevens has informed Adobe of his proof-of-concept PDF, which he has not published (yet).  However, I would expect others to be able to work out how to do this, especially since they have a pretty clear indication of where to look.  We can all hope that Adobe comes up with a clever solution; perhaps Launch Actions could be disabled by default (though that would not eliminate the risk from social engineering).

The broader lesson here is that designing a system that has provision for the automatic execution of code is generally a Really Bad Idea.  (Ask Microsoft about auto-run macros in Office documents, or AUTORUN.INF on CDs.)  It sometimes is necessary to live without a little added convenience for the sake of reasonable security.

Thunderbird 3.0.4 Released

The good folks at the Mozilla Messaging project have released a new version, 3.0.4,  of the Thunderbird E-mail client.  This versions corrects a number of bugs, including five security vulnerabilities, three of which are serious.  Further details are in the Release Notes.  The new version is available via the built-in update mechanism (Help / Check for Updates from the main menu); alternatively, versions for all platforms (Linux, Mac OS X, and WIndows) can be downloaded here, in your choice of 50 or so languages.

Toyota, NASA, and Cosmic Rays

By now, I’m sure that almost everyone has heard about the vehicle recall and attendant problems that Toyota has been having in the last few months.  I’ve posted a couple of notes here, about the difficulty of finding flaws in a very complex system, and about the possibility that software bugs might be responsible.  In the last few days, there have been some intriguing further developments in this story.

Toyota has consistently maintained that the problem (of unintended acceleration) is not due to any flaw in its electronic throttle controls.  This claim has been regarded with some skepticism (including mine), because finding problems in systems as complex as this is not easy.  To underscore this point, the New Scientist has an interesting article summarizing some of the many ways in which electronic controls are used in today’s automobiles.  There are many control subsystems, which are linked together using a “data bus” network.  One of the questions raised in the article is whether that bus, or the electronic components themselves, can malfunction if data is corrupted by some external influence, such as electromagnetic interference [EMI].   According to the article, there is at least one case of this affecting vehicle anti-lock braking systems:

During the 1980s, drivers of Mercedes-Benz cars with anti-lock brakes (ABS) reported that their brakes were failing on a section of autobahn in the Saarland region of Germany. The problem, caused by electromagnetic interference (EMI) from a nearby radio transmitter, was solved by putting up a giant wire mesh by the side of the road to shield traffic from its radio transmissions.

There have also been documented cases of EMI causing problems with remote locking and security systems.

As if terrestrial sources of EMI, like radio transmitters, were not enough, a recent article at Live Science suggests that another possible cause of Toyota’s problem is cosmic rays.  This is actually not as goofy as it might at first sound.  As modern digital electronics have gotten smaller and more densely packed (Moore’s Law, and all that), they are representing each bit of data with a smaller electric charge.  As the charge gets smaller, it becomes more susceptible to being disrupted by highly-energetic particles, like those associated with cosmic rays.  It’s well known in the aerospace industry, for example, that radiation can “flip” individual bits in semiconductor devices.  Some types of devices, those that are “field programmable”, are especially vulnerable, because they store not only their data but also their basic logic in memory (somewhat analogous to microcode).  It’s not at all clear how much, if any, of this has been evaluated in the context of automobiles.

Fortunately, the problem has festered long enough that some additional expertise is to be brought to bear.  According to a Reuters report carried by the Washington Post, scientists from NASA  have been asked to assist the National Highway Traffic Safety Administration [NHTSA]  in analyzing the electronic throttle controls used by Toyota.  Additionally, Transportation Secretary Ray LaHood has asked the National Academy of Sciences to conduct a study of unintended acceleration across the auto industry.  This is a welcome development.  I am sure that the engineers at the NHTSA are very good at analyzing the effects of traffic conditions and wet pavements on accidents, it is less clear that their expertise extends to finding flaws in complex software systems.  As we become increasingly dependent on technology in all phases of life, we mustn’t let petty things like inter-agency rivalries to get in the way of solving problems.

Microsoft Releases IE Security Patches

As expected, today Microsoft released a security bulletin for Internet Explorer outside of its normal monthly patch cycle.  This bulletin (MS10-018) is a cumulative security update for all supported versions of Internet Explorer.  It fixes the vulnerability I wrote about earlier this month, but it also addresses nine other vulnerabilities.  The update has a Critical severity rating for all versions of Internet Explorer on all supported Windows clients (2000, XP, Vista, 7).  It is rated Important or Moderate for server versions of Windows.

(The monthly Security Bulletin Summary for March has been updated to include this release.)

At least one of these vulnerabilities is currently being exploited via the Internet, so I recommend installing this update as soon as you can.  It is available via Windows Update, or can be downloaded from the links in the bulletin.

Microsoft to Issue Out-of-Band Security Bulletin

Microsoft has issued an advance notification for a Security Bulletin to be issued tomorrow, March 30, outside its normal monthly patch release cycle.  The primary purpose of this patch release is to provide a fix for a flaw in Internet Explorer versions 6 and 7, which I have written about earlier this month.  (I posted a note here about a temporary fix.)   The fix, as is common for IE patches, will be cumulative, incorporating previous updates.  Users of Internet Explorer version 8 should note that, although the patch is primarily aimed at the flaw in IE 6 and 7, it will also include fixes for IE 8 on all supported versions of Windows.  The IE 8 fixes are rated Critical for Windows XP, Vista, and 7.

As usual, I will post an update here once the patches are actually released.

Apple Releases “Snow Leopard” 10.6.3

Apple has released an updated version, 10.6.3, of the Mac OS X operating system, “Snow Leopard”.  The new version incorporated numerous fixes to system components, summarized here (essentially, the release notes, although Apple doesn’t use that term).   It also incorporates a number (69) of security fixes.

The new version can be downloaded and installed through the built-in Software Update mechanism.  Alternatively, you can download a stand-alone installation package, which may be handy if you have several machines to upgrade.

The “Infinite Loop” blog at Ars Technica has an article discussing the updates.