Reducing Risk (Computer)

[Bounce]

You may have heard that, as of a few months ago, Adobe bypassed Microsoft as the most exploited vector for malware and virus attacks. For the first time in PC history, a company other that MS has become the primary target for virus writers to gain access to your machine.

There are a few reasons but the primary 2 are Javascript and external application launching.

Javascript is an exploit that make Adobe Acrobat (Reader) susceptible to attack due to an weakness ("error") in the code. It allows the writer of malware to write a script that does things in the background without your knowledge. Until the creators of Java plug these "holes" in their product, you can minimize your risk by simply turning off Javascript like you do in your web browsers.

1. Open up your Acrobat (Reader) software

2. Navigate through the Edit/Preferences menu options

3. Find Javascript in the left margin

4. Turn off the check mark next to "Enable Acrobat Javascript"

The second exploit isn't an error in the code of Acrobat, it's a function of its design. In an attempt to render documents of all types, it has the ability to execute external applications (run programs from within Acrobat (Reader). That means a bad guy can use Acrobat (Reader) to run any program they want including their malware program that hijacks your computer so it can be used to attack other computers or send spam e-mails to millions of other people per day. To prevent this from happening you:

1. Open up your Acrobat (Reader) software

2. Navigate through the Edit/Preferences menu options

3. Find the Trust Management option in the left margin

4. Turn off the check mark next to "Allow opening of non-PDF file attachments with external applications"

 

[08FJR4ME]

I just performed both task.

Thanks,

dave

 

[SPORT]

Thank you!

btw: What does this have to do with reducing Rick?

 

[Lowcountry Joe]

Done! Thanks (and thanks to Rick, although reduced)

 

[exskibum]

Thanks for the heads up and the prophylactic. Done.

 

[Bigbeavk]

Thanks Bounce! And give my regards to reduce Ick. lol

 

[BIODSL]

Done and done. Thanks, Bounce.

 

[worldbound4now]

Done. Hopefully our combined efforts don't make Rick too small.

 

[fjrchooser]

I just did this several times, going back before even exiting the program I see they reset themselves right back to where they were. WTH ?

 

[LDRydr]

Do remember that there are legitimate programs that USE Java script within Acrobat, and thus won't work if you disable it. One I use frequently is printing USPS Priority Shipping postage labels via their on-line store. Turn off Java script and the labels won't print. Although I don't use it, I suspect that QuickBooks ability to print PDF invoices and email them probably uses it, too. I'm sure there are many more.

On Tuesday this week Adobe released a new version of Adobe Reader that changes the way that their update process works, allowing the user to decide if the updates shold install themselves, without user-intervention. It does so by checking more frequently, and installing the updates automatically.

To protect yourself from threats, and reduce risk without losing functionality, download the latest version of Adobe Reader, install it and then reboot. Then go back into it and choose EDIT, PREFERENCES, UPDATER and make sure the AUTOMATICALLY INSTALL UPDATES is turned on.

Incidentally, there are a myriad of other programs most users install in Windows that also pose the same or greater risk, and are frequently not discussed nor updated. The first is Java itself. When you see the little reminder down near the clock asking if you want to update Java do so. The recent versions also do a great job at removing previous versions, which used to stay on the systems unless manually removed. These previous versions run about 110mb each and can end up taking up a lot of space. Unless you know you need to keep an old version for compatibility go ahead and remove them.

Once you have Java and Adobe updated head to https://secunia.com/vulnerability_scanning/online/?task=intro to run a very good, free security scanner to check your system for insecure applications. The scanner uses Java so make sure you have Java loaded and updated first. If insecure programs are found it will tell you so, tell you where it found them on your system, and give you links on where to download updates for them, although you could also use your programs built-in update feature. Get all your needed updates, then run the Secunia Scanner again until it comes up showing you're all updated with secure versions of the programs.

Lastly, subscribe to Secunia's FREE reminder service at https://secunia.com/vulnerability_scanning/online/reminder/ so they can remind you via email when they update their security scanner signatures as they learn about new vulnerabilities in programs. They do a much better job at keeping up with the exploits then even us seasoned security professionals.

 

[Bounce]

Good points LDRydr

But Adobe has been scrambling to keep up with the exploits over at least the past year or two. Zero day exploits continue to plague them so much that their assertion to go to quarterly updates was soundly discarded by them before they could ever implement it. Just a few months ago (2/2010) there was an attack using a compromised Adobe Updater ( https://blog.damballa.com/?p=614 ) so that's not even a sure thing.

They use of PDF as an attack vector has become so prevalent that some agencies that work on government contracts (and thus work on confidential bids, etc.) have blocked the attachment and transmission of PDF files (entirely) within their internal e-mail systems. I've talked with their employees and they admit they feel hampered by such moves but understand the reason why their corporate heads took such measures.

Cross scripting in browsers (sending you to a different site than the one you think you've navigated to) is another big exploit. I've taken the advice of several security experts, gone to Firefox exclusively[1] and then use NoScript and Ad Blocker + to help block these kinds of exploits.[2]

[1] Knowing that no complex system can be 100% secure, we can choose the level of risk we are willing to take.[3]

[2] Even legit google's context-sensitive ads have been exploited[4]

[3] As motorcycle riders the concepts of risk management are familiar and educated choices something we do daily.[5]

[4] People have bought legit ad space through the ad dept, run a couple of legit ads, then (once they were in) inserted malicious scripts into their ad space that then pops up on innocent web sites.

[5] But it's the "educated" choice part that some people overlook. Knowing what the impact of doing (or not doing) can have and choose your own level of risk.[6]

[6] I don't see PDF files as been a justifiable vehicle for external program executions and script insertions. That's a change from their original intent that I choose not to allow. Others may choose differently.

I just did this several times, going back before even exiting the program I see they reset themselves right back to where they were. WTH ?

I just checked and all mine stayed disabled.

--edit--

Here's something to consider.

If you have a program that you absolutely can't live without and can't find an alternate for (which uses these functions and breaks when you disable handing over control to unknown external sources), you should keep those programs limited to computers that are not also used to do things like on-line banking. Even more protection would be to run those apps from either a run-time boot OS (like a disc or thumb-drive version of Linux)[1] or run it from within a virtual machine which is then cleared at the end of the session[2].

[1] it would always boot clean from the write-protected media so no malicious code would survive the reboot.

[2] it would be sandboxed and contained within the boundaries of the VM; also killing any attack once the session of closed.

https://www.mxlogic.com/securitynews/web-se...-the-web500.cfm (56% of malware comes from spiked PDF files)

https://www.infoworld.com/d/security-centra...re-updaters-847 (March 25, 2010 - new attacks overwrite updaters)

 

[fjrchooser]

I went back in, changed the Product Tampering settings in Norton to allow changes and it STILL rubber bands back to the original settings in Acrobat but not while your watching.Waits till you leave the screen to make the change back. I'm pulling the plug on Acrobat since it won't listen to me and acts sneaky, easy enough to get another copy when its needed.

Back in Feb I had several attacks on my system that were traced through Acrobat which Norton stopped and notified me about. Maybe my Acrobat was still effected ?

 

[Sportster]

Great ideas, thanks.

One question about the suggestions: If I am running Windows XP w/service pack 3, do I really NEED versions of programs designed for Windows 7, or even Vista?

Thanks,

Sportster

 

[sergeantnic]

I'll have to look into this but I've personally never had a problem.

And setting up a seperate OS or VMsessions is a bit excessive for home computer users.

Peronsally (and I've been in the IA business for 10 years), I believe and recommend to my users / customers that as long as you keep your IAVA's, security signatures, and software updates set to automatically update you will have no problems. Out of all the phone calls I recieve for first time customers with virus issues, 9 out of 10 of them have these updates turned off or they are not using the correct tools to prevent an attack.

My repeat customers have rarely if ever called me about a virus and the only things I have ever done is set those updates to automatic and to ensure they have a good suite of security tools like Mcafee.

But I'll definately take a look at the Adobe thing.