hello, i just went to MAYBEDON’tCLICKhttp://img1.artprice.com/pdf/trends2007.pdf, and adobe reader tried to modify the user interface of windows explorer, comodo firewall, avast antivirus and peerguardian. What’s up with that?
Obviously i blocked it (i hope)
edit- Just scanned the pdf at virus total, didn’t find anything. Yeah, I’m pretty sure its nothing at all to do with the website.
A pdf? Only those applications that were tried to be modified?
Shouldn’t happen. Be advised that there are new PDF attack vectors on the Internet, and the virus scanners don’t recognize a lot of them at this time. You may well have tripped over such an infected PDF. I’ll suggest submitting the file to Comodo (in CFP,click Miscellaneous, and Submit File)
Hmm. It won’t let me submit pdfs, i think. The site and file seem okay to me, anyway. But i will submit it if you can tell me how to upload a pdf.
Bit dodgy, though, don’t you think? If I were a betting man, i’d blame adobe over that website. Any day of the week. One thought that crossed my mind was that the actual adobe reader program attempted to modify the user interfaces of these programs. Any chance of that?
Also, what would modifying the user interface allow the program to do, out of curiosity?
oh yeah, it tried to modify csrss.exe too. And firefox.
edit-i got it to repeat it with that file, but it only happened when i clicked a picture in the pdf. The picture has a hyperlink to flickr. Why would clicking a picture link result in attempts to modify user interface of these programs?
I’m gonna try it with other pdf picture links and see what happens for a bit of a laugh.
It’d make sense only if the applications listed had something to do with using a pdf. An antivirus program is a maybe, for some kind of scanning purpose. CFP doesn’t do anything with a pdf. To my knowledge, neither does PeerGuardian. The Adobe folks would more likely write code to hit their respective plugins, or a global hook, but not an application-by-application basis.
There was a posting a couple of days ago at SANS.edu Internet Storm Center - SANS Internet Storm Center describing how to scan a PDF for embedded scripts. I haven’t, and likely won’t today, had time to check your link to see if there is anything atypical.
I just ran adobe updater, which attempts to “access in memory” firefox, my antivirus, peerguardian, smss.exe, csrss.exe, svchost, lsass, services, winlogon, obtains shutdown privilege…
To the best of my knowledge, there are no viruses or trojans of any kind on my computer. I have done scans with avast, kaspersky online, mwav. Hijack this shows nothing funny. Icesword finds nothing. There’s hardly any programs on my computer. windows(XP) is fully updated.
An updater I can kind of understand.
It occurs to me that there is a way to probably check things to see if that pdf is actually trying to do anything.
That would be to change CFP Defense+ setting into Paranoid mode (okay, yes, I’m a little on the paranoid side), and then open up Adobe Reader on that pdf. Then walk thru all the alerts that come up to see what happens. If anything like trying to run other (and unknown) apps, or reach out to the Internet, then there is a problem. Your machine sounds like it is secure enough to withstand a hit, especially one in slow-motion. It would be a definitive check. I’d also suggest doing it with a limited user account, and not with admin privileges, just in case.
Paranoid mode?! I’m so paranoid it’s unreal! Maximum paranoia! You know, when i go on the net, it feels like a fight. I don’t leave my computer. I look through the registry when i shut it down!!! I do virus scans of some sort at least once a day! I don’t even plug the modem in until everythings going and i’ve checked the firewall and antivirus and all are running.
So yes, it’s in paranoid mode…Permanently.
Administrator privileges?!?!?!?!?!?!
Very funny…
Updater connects to the net, it connects to adobe’s scabby website. But it still tries to “access” all those services and programs, even when it’s not trying to read a pdf at all.
Anyone else want to try running adobe reader/update to see what happens to them in paranoid mode? I can go and “chat” with their support forums then…
Seriously, it seems to do it on every pdf that contains a hyperlink. Click the hyperlink, and it tries to modify the user interface of those services/programs.
Yes!!! :BNC You just make me a very happy grue.
Updater connects to the net, it connects to adobe's scabby website. But it still tries to "access" all those services and programs, even when it's not trying to read a pdf at all.Anyone else want to try running adobe reader/update to see what happens to them in paranoid mode? I can go and “chat” with their support forums then…
Seriously, it seems to do it on every pdf that contains a hyperlink. Click the hyperlink, and it tries to modify the user interface of those services/programs.
Inquiring around strikes me as being a good thing to do. Hopefully getting answers from someone a little more clued than I am. I suspect there are tools available (on Windows machines, and not *ix/BSD boxes) that can do the equivalent of disassembling a pdf and finding out what’s inside. I just don’t know what those tools are.
I am 99% sure that it has nothing at all to do with any particular pdf. Foxit reader does not try to modify jack ■■■■■ when i open this same pdf. I click the hyperlink, it executes firefox, hip hip frickin’ hurrah.
I am, however, 110% sure that adobe are a shower of tosspots. Adobe reader tries to modify critical system and security programs, all by itself, with no pdfs or any other file loaded. Unless i am wrong, and this would probably involve some sort of man-in-the-middle attack downloading a fake version of adobe reader from the official website, this program alone is responsible for my concerns.
Try it and see!
Oh, and I’m glad that my approach to computer security amuses you. Cheers for all your input, by the way!
If Foxit passes it, I’m much more inclined to believe all is okay. I don’t know why I hadn’t thought of that earlier.
Regarding Adobe… I haven’t tried it yet, but I’ve heard very very unkind things about the just released Adobe Reader 9, and all the marketing stuff with it (try our spiffy new whatzit which we just installed for your convenience). Details SANS.edu Internet Storm Center - SANS Internet Storm Center
On computer security, you’re one of the few people I’ve encountered who’s doing things seriously right. Thank you! I’m a LAN/email admin on dayjob, and the amount of spam and junk hitting the site firewall has long ago ceased to amaze me. Keep doing what you’re doing. Speaking for the dayjob site server, it’s appreciated.
“On computer security, you’re one of the few people I’ve encountered who’s doing things seriously right”
-it’s amazing what you can learn in 12 months. A year ago, i was just riddled with virus and spyware. I thought that when you close a web browser, you’re not on the internet anymore. Oh dear!
Anyhow, i’m gonna try foxit for a while. I think I’ll wait for tommorrow before i bombard adobe (or at least their long suffering user to user forums) with complaints, insults and vitriol. Thank you for your help!
Ive been using Foxit for awhile now and love it. Loads in seconds. Its literally 20 times as fast as Adoble and only has a install of 13 MB.
is Foxit better then adobe if so i will get it :BNC and do i need adobe anymore if i use Foxit if not am i free to uninstall adobe thanks all.
You do not need 2 PDF readers.
thanks i will use Foxit
Anyone tried this out yet? (That is, adobe reader with defense+ in paranoid mode, try and update or click a hyperlink on a pdf?)
And, does anyone know how to get foxit to open pdf’s within firefox?