The newest jailbreak for Apple's iOS platform has exposed a serious exploit that could allow a remote attacker to compromise the device. The exploit is present in all iPhones, iPads, and iPod Touches running version 3.1.2 and higher. The exploit doesn't even require any particular user intervention, just opening a malicious PDF document.
The user is just required to visit a web address in mobile Safari that will load a PDF document. The PDF contains malicious code hidden in a font. The font will cause a stack overflow, allowing the code to be run on the device. A hacker could conceivably do anything at that point. Anything from deleting files, to installing spyware in the background.
This is similar to an exploit early in the iPhone's existence that used TIFF images. But this time around there are many more iPhones in the world, so we expect Apple to take this pretty seriously. Users are cautioned to avoid any PDFs for the time being.
Adobe is no stranger to criticism. The company has consistently drawn flak for its piss poor security track record. In fact, it would be reasonable to believe that Adobe is inured to the constant castigation.
But it now seems to be making more serious efforts to plug the many holes in its software. Back in April, it introduced an automatic updater for its Acrobat and Reader products, giving it the ability to tackle critical security issues speedily. And now it has turned its focus to “sandboxing,” a security mechanism that involves running the concerned software in an isolated environment - the sandbox.
Initially, the new feature, dubbed “Protected Mode, will only be used to sandbox “write calls.” But a subsequent update will also help stave off exploit code that tries to copy sensitive information from the user’s machine. "In the first release, everything that is involved in rendering a PDF has to happen within the sandbox.”
Adobe expects to have the next version of Reader ready before the end of the year.
M86 Security Labs released a list of the top 15 most observed vulnerabilities for the first half of 2010 and, surprise-surprise, Adobe Acrobat & Adobe Reader (No. 1) and Microsoft Internet Explorer (No. 2) took the top two spots.
It wasn't enough to just take the top spots, Adobe Reader and Microsoft IE overachieved (underachieved?) by claiming nine out of the 15 slots, with four of them belonging to Adobe and five for Microsoft.
The list also indicates a growing focus on exploiting Java-based vulnerabilities.
"Java is the next low-hanging fruit for attackers," says Marc Maiffret, chief technology officer at eEye Digital Security.
Up until now, Google has relied on the traditional browser plug-in model for PDF support in Chrome, but there are some downsides to going this route. Most notably, this path opens users up to compatibility, performance, and security problems, Google says, so the search titan has decided to take a different approach.
"To overcome [these problems], we've been working with the Web community to help define a next generation browser plug-in API," Google said in a recent blog post. "We have begun using this API to improve the experience of viewing and interacting with PDF files in Google Chrome. This mirrors our efforts to optimize the Adobe Flash Player experience in Chrome.
"Today, we are making available an integrated PDF viewing experience in the Chrome developer channel for Windows and Mac, which can be enabled by visiting chrome://plugins."
Google said that Linux support is on the way. In the meantime, users who enable PDF integration will see PDF files rendered seamlessly as HTML pages, the search giant said. Basic interactions will be the same as for Web pages, like zooming and searching, and PDF functionality will be contained withing the security sandbox Chrome uses to render regular HTML pages.
Windows can do a lot of things out of the box -- play music and videos, browse the Internet, and backup software, to name just a few -- but Microsoft should add a PDF viewer, a security researcher argues.
Sullivan was referring to the advanced features found in third-party applications, such as Adobe's Acrobat reader. But some of those features have opened Windows users up to virus attacks. According to McAfee, PDF exploits were up more than eight times in 2009 compared to 2008, and that trend is continuing so far in 2010.
"Your customers are tired of the exploits and the complications that so many of today's PDF readers include," Sullivan wrote in an open letter to Microsoft.
PDFs. Why do we use PDFs? It's a question I've asked myself time and time again during the following scenarios: my default PDF reader crashing my browser whenever I erroneously click on a link to the blasted extension, an image- or page-packed PDF consuming all of the system resources on my work machine, and while I'm spending extra time to convert a perfectly likable file (.doc) into a new format that's compatible with even more people. At least, I think that's the reason.
But really, though, why do we use PDFs? Perhaps it's the wrong question I should be asking, however. Sad to say, PDFs are here to stay. And I must confess, filling out a PDF form has a certain elegance to it (and built-in digital signature support) that you just can't find in a standard text file or Word document (or OpenOffice.org document).
So instead of asking ourselves how we can rid the world of PDFs, we should really be thinking about the various ways we can improve our interactions with PDF files. That's where this week's Freeware Files comes into play. I'm going to show you five freeware or open-source apps that'll hopefully ease the burden you face when you're trying to manipulate this quirky file format. As well, I'll show you a few more features and tricks you can use to turn your own PDF routines into nothing short of a master class.
It's only fair that Google's browser, Chrome, use a Google-based service in this week's extension of the week. The name of the add-on is Send to Google Docs, but you don't need to be a rocket scientist to figure out the ins and outs of this little tweak.
I was originally scanning around for an interesting way to tweak the functionality of a PDF in the Chrome browser. In stumbling across Send to Google Docs, I was intrigued by the solution: Rather than simply sticking more save options onto the download bar, Send to Google Docs gave a far better deal.
It's kind of annoying to have to wade through a bunch of PDFs on one's hard drive. Depending on your reader of choice, clicking through PDF after PDF can eat up a lot of system resources... and a lot of time. Why not just stuff these files in the cloud and let Google's speedy rendering engine take care of the rest? Or, better yet, allow Google to convert these PDF files into a format that can be edited straight through Google Docs itself?
Or, to be specific, I hate pulling up PDFs in my browser. No matter the reader or the complexity of the file, something invariably goes wrong whenever a PDF file crosses over the barrier between Internet and desktop. Unless you have a sharp eye for what you're clicking on (or a helpful icon to guide your path), you always run the risk of accidentally slapping a PDF into a new tab whenever you're surfing around in the ol' Firefox browser.
PDFs by themselves aren't evil. And sometimes you'll want to actually open a PDF via Firefox instead of taking the extra time to download it to your desktop and open up a reader. What Firefox lacks, in this regard, is control--ways to separate a unique PDF download from the typical bevy of files you grab on a daily basis.
Thankfully, there's an add-on that fixes that right quick.
Both Foxit Software and Adobe Systems are looking at ways of warning users about a new PDF attack threatening system security. Didier Stevens, an IT consultant with Contraste Europe, discovered the vulnerability, which entails getting PDF viewers to automatically execute embedded executables when the PDF file is opened.
"After receiving word of a recent security concern, the Foxit development team immediately looked into the issue, confirmed the risk and resolved the situation quickly," the company told eWEEK in a statement. "Foxit expects to release a new version of Foxit Reader with this fix on April 2, 2010.
"To address the specific problems outlined, Foxit has added a warning dialog box that will pop up when a PDF file is opened with Foxit Reader, asking the user to agree to execute or not," the company continued. "This solution adds a layer of safety yet maintains Foxit Reader’s compliance with current PDF standards."
Adobe already has a warning box in place, but Stevens claims there's a way for hackers to partially alter the dialog. According to eWEEK, Adobe is discussing the potential threat but didn't say if it would take any further precautions.
If you had asked us what electronic device had no business running a multitouch display, we’d have said eInk-based ereaders. Apparently, we don’t know what we’re talking about, because the Bookeen Orizon is an ereader with a multitouch screen. Why? So you can adjust the zoom level. No one wants to use buttons for that, right?
The Bookeen Orizon will be out in May and will retail for $250. When the current price of a Kindle or Nook is just a bit higher, they must really be banking on people going crazy for the multitouch. The screen is 6 inches and the device will come with 1GB of built-in storage. There’s no book store for this product, but it supports whatever ePub files or PDFs you’d like to put on it.
Even if you don’t need an integrated book store, why get this over a Sony reader? Is anyone really hankering for multitouch zooming on their ereader?