PDF Virus Spotted 244
Jethro73 writes: "Adobe's popular PDF file format [...] has generally been considered immune to viruses. But a new virus carried by programs embedded in PDF files raises concerns that the format itself could become susceptible. Read about it here and at coderz.net."
Did Sklyarov write this virus? (Score:1)
What about a good book ? (Score:1)
Damn i am lame.....
Paying for viruses? (Score:2)
So, when you pay for the enhanced version of Acrobat, you get infected. It should be the other way around... Adobe just doesn't understand business (as MicroSoft does).
(Disclaimer: a bit of sense of irony and humor is required prior to moderating this post).
Does anyone actually *read* these before posting? (Score:1)
But the way this story was posted, it sounds like every PDF you view has the capability to infect your computer.
Oh, shoot. (Score:2)
On the other hand, a few points are worth noting:
I use Acrobat, but under the Macintosh, so I am safe.
On the other hand: "[...] Adobe doesn't currently plan to prevent VBScript or other files from running."
I say this is just another reason to boycott Adobe [boycottadobe.org]! It's just turning into another Microsoft.
I also think the XPDF programmers should add security features to their (excellent) software, as well.
Just my US$ 0.02...
Re:Oh, shoot. (Score:2)
A PDF virus? (Score:3, Insightful)
If that is the case, then practically any program that can embedd other files is suddenly going to be flagged as having a virus, when in reality, its just the same old software (VB and VBS) causing the same old problems (reading outlook email addresses and so forth) ...
Or am I missing something?
Re:A PDF virus? (Score:2)
the grammer nazi would have a field day with you.
a virus is (from www.whatis.com): A virus is a piece of programming code usually disguised as something else that causes some unexpected and usually undesirable event. A virus is often designed so that it is automatically spread to other computer users. Viruses can be transmitted as attachments to an e-mail note, as downloads, or be present on a diskette or CD.
its just the same old software (VB and VBS) causing the same old problems
dude, VisualBasic and VBScript are programming languages. Using your logic, you could have one hell of an argument against C or assembly language from the good ol' days. It just so happens that these programming languages allow relatively inexperienced coders to write some powerful stuff
Re:A PDF virus? (Score:2)
I hate to see what the spelling nazi would do to you.
Re:A PDF virus? (Score:2)
In other news.... (Score:1)
According to virus expers, the Rotten virus compromises the security of the PDF format by replacing each letter with one thirteen places from it in the alphabet.
Re:In other news.... (Score:3, Funny)
Not a problem (Score:2)
Don't even disinfect your PDF's (Score:2)
The same mistake (Score:1)
wow... That's the second company who'd rather have visual basic support then protection... and the first one owns a monopoly...
I have to wonder how hard it would be... I mean, can't they at least have default support for that sort of embedded automated stuff turned off? That way, the huge majority of people who use Acrobat would have no problem, which would prevent the virus from spreading at a significant rate...
Why don't they just turn support for embedded stuff off, by default, and have a simple switch/notification system to allow it to be easily reenabled?
Re:The same mistake (Score:2, Informative)
Adobe has a "monopoly" too, walled off by patents ... it's just that it's on PostScript and PDF so it isn't as noticeable. They're going to get more agressive defending it too.
My other posts [slashdot.org] explain it all ;-)
rot13 (Score:1)
PDF Virus Spotted. Spotted? (Score:1, Offtopic)
What have those virus writers done NOW?
"PDF Virus Spotted". Spotted? SPOTTED?!? What's next? Stripes? Or, shudder, PLAID?! :^)
And you can thank... (Score:5, Interesting)
When people start applying the KISS principle judiciously, things will get a whole lot safer.
Re:And you can thank... (Score:5, Insightful)
Re:And you can thank... (Score:5, Interesting)
And all of those things could be achieved with an online form, processed and verified on the backend that the administrators have *FULL* control over. Have you ever written a javascript 'application?' Did you know that the '+' symbol is used for both string concatanation and for addition? And usually, javascript will pick the wrong operation : 2+2='22', for example. Yeah, that's how I want my tax information calculated, NOT!
This is almost the same shit I just had to go through with Pennsylvania's braindead online unemployment comensation registration. They did EVERYTHING as a FSCKING javascript/ActiveX client side app. UGH! It is so broken that I ended up just downloading a text form from the web site and faxing that in.
Can someone please explain to me why anybody, ESPECIALLY A GOVERNMENT AGENCY, would write things so heavily dependent on client-side tools?
Below is the letter I wrote to them:
Re:And you can thank... (Score:3, Informative)
Throughout all of this, the data is NEVER sent to any server at all. The agency is still requiring a printed copy of the filled out form. Keep in mind that in many cases, these forms are published by a government agency to be submitted to folks other than the agency itself. Prime example: the US W-4 form for income tax deductions from a paycheck. The form is submitted to the employer. The IRS makes up the PDF form and you fill it out and give it to your employer. The IRS isn't involved other than providing the proper form.
As far as having built a Javascript 'application', yes I have. Not relevant to the discussion. The original post attacked not the implementation, but the very idea of Javascript in PDF. Your attack on Javascript has to do with a poor implementation in Javascript. I don't care what scripting language is used, the concept is valid and that's what I was defending.
Improper implementations of a concept do NOT invalidate the concept itself. The concept must be evaluated on it's own merits.
Lowest Common Denominator: AOL on Windows 95 (Score:2)
Adobe, will you please make it so our forms can be filled out with typewritten information by our users before they print it? Sure. Adobe Acrobat forms are born. Then the agencies start to notice that when the form requires the same information in several different places, people are mistyping it in one or more. Hence the Javascript in PDF.
That's all relevent, and I would stop just short of calling it a feature creep.
But, on the other hand, on a government webpage, the mandate of which being to bring make government services more accessible, shouldn't they stay with simpler, more reliable, and better supported mechanisms?
Maybe I'm unclear, but how does Acrobat get the information back to the PA gov't? Do you *fax* the form back, meaning that the unemployed dude has to have both a fax and a computer (or at least a computer and a scanner)? Remember, unemployment services will have a broad sector of people using it - not all of 'em will be computer geeks who have a scanner/fax handy.
The other option: does Acrobat have the mechanisms to send the information back to the server? Is it encrypted? That'd be fairly personal information to be going across the wire.
Acrobat isn't supported in a default Windows install. And, let's face facts, the lowest common denominator is AOL on Windows 95. While my mother has a real dial-up connection, she's at brower and e-mail only sophistication. She called me because someone sent her a PDF file, and had no idea what it was. I led her through downloading Acrobat Reader, but she got so frightened by all the installation options that she gave up, despite me telling her, "Mom, just click OK".
The only thing I can think of to provide that level of functionality would be a good old HTML form. IE 2.0, which shipped with NT 4.0, supports it. The biggest hurdle is at least 56 bit encryption - what generation of browser started to include that by default?
Bells and whistles are good, when they work. But, again, the cross-section of users *who are paying to use this service* (after all, it's *their* tax money) should be able to make use of it. Truck Driver Joe might not know anything outside of his small, clearly-defined AOL prison cell.
Inside the mind of government... (Score:2, Insightful)
...it's very dark.
But seriously, here's my diatribe on government internet projects (from the trenches).
The main reason that government on-line projects suck is because they want to deliver their services on-line and they don't have the in-house talent to make it so. (How many webmasters YOU think are in the building department of a medium-sized city? The answer is: ZERO)
So, the well-intentioned civil servants hire computer consultants. Sometimes the consultants are teen-aged webmasters that work for peanuts and they positively rock! But sometimes governments hire consultants. Usually these projects have high ideals but are woefully underfunded. This means that the consultants, in order to come under budget, don't have time to effectively review the problem domain.
Do we know where this is going? Yep:
If the consultant is particularly unethical they will say (after the project is out of cash) that they're just working on a 'prototype' and that more money would be needed in order to deliver what was originally promised.
In a climate like that, it's a miracle that any of these Government projects get completed. Sometimes the client falls for it... Repeat until sickened... diatribe off...
Re:And you can thank... (Score:2)
Re:And you can thank... (Score:2, Insightful)
Really, leaving back doors (ability to run scripts) to allow doing things creators didn't know/have time to implement is a very very VERY bad idea.
Alternatively, if you really think it isn't all that bad idea (which, by the by is bad idea in itself), then at least make the scripts run in a sandbox a la Java's applet sandbox. Let them be able to modify document structure, but not modify local file systems (for example).
(posting as on AC since writing from a public terminal)
That's amazing. (Score:4, Funny)
Also, it's high time that PDFs came with their own e-mail client so I don't have to go through the pesky details of saving and attaching and that horrible rigamarole. And a web browser so I can go fact-check or check m-w.com before I'm done.
I demand these features in PDF. Just because no one needs them and other applications already do them doesn't mean they shouldn't put them in... right?
Re:That's amazing. (Score:2, Interesting)
Re:That's amazing. (Score:2, Funny)
... And a virus checker
Re:And you can thank... (Score:2, Informative)
As far as Javascript in PDF not manipulating the PDF itself, I quote from Adobe's docs on Acrobat Forms Document Model,
2 words: (Score:2)
Electronic Workflow.
Dynamic PDF stuff is *necessary* for those of us writing workflow applications in industried (e.g. financial services, insurance) where the complexity of forms requires lots of dynamic calculation and database interaction and the regulatory requirements all but make sure we cannot deviate from existing paper forms design. Plus, eventually we must produce documents for customers to sign, and to be archived, and to be audited, so PDF is the best choice.
Yes, for many industries the JS/ODBC stuff is unnecessary (and, if you'll notice, this bug only affects those with full acrobat, not acrobat reader), but for others it's critical.
Re:2 words: (Score:2)
Buzzzzzzzzzz! WRONG ANSWER.
Before you reflexively hit the "reply" button, consider that I implemented just this sort of complex form application with lots of dynamic calculation and database interaction, and I don't get even CLOSE to PDF until it's time for the user to print the document...then my web site sends the PDF document (sans attachments, active scripting, whatever) to the Web browser for printing.
Isn't Excel usually the choice for this sort of thing?
credit where credit is due please (Score:2)
Peachy is named after a small game in a PDF file that involves finding peaches, Gullotto said. According to a person called Zulu, who said he wrote Peachy, showing the solution to the game runs a VBScript file.
Yes, this is another VBS exploit, and java does not desrve your FUD. New features have their place, VB and VBS don't.
Re:Dissecting PDF to fix it is ILLEGAL! Ask Dimitr (Score:2, Insightful)
Re:Dissecting PDF to fix it is ILLEGAL! Ask Dimitr (Score:2)
Let's say that the XYZ Automobile Corporation knowingly uses cheap, sub-standard components in their brakes. A bunch of people die. XYZ issues a recall. Before you manage to fit a trip to the XYZ dealer to handle the recall (the 12th since you bought the car) into your busy schedule, your brakes lock up and you die a horrible fiery death.
Is XYZ Automobile Corporation responsbile? Can your grieving survivors sue their corporate asses off? I should hope so. The determining factor is not the recall, it's that they knowingly used sub-standard components.
M$ has some smart developers working for them. The fact that they continually turn out insecure crap is not due to ignorance or inability on their part; it's a conscious business decision to attempt to maximize their profits by fucking over the end user.
Buffer Overflows, Kernel Patches, & Fucking Trolls (Score:2, Insightful)
Can you name an OS that has
BTW, does your favorite OS distribute fixes that can patch the currently executing kernel in memory without taking the system down, in the event of a kernel bug?
The problem, for the billionth time, is not Microsoft (at least not this time). The problem is the clueless fucks who are trying to admin these servers. "24/7 environments"? You're a moron. Any environment that wants to be 24/7 damn well better have high availability and redundant machines that can cover when one goes down. You can put off a patch+reboot but can you put off a disk crash? What about someone using the hole you put off patching to compromise the machine and eat your data?
There ought to be a strain of Code Red that just fucking kills the admin who left the machine vulnerable to it, or at least puts in a pink slip for him.
Re:Buffer Overflows, Kernel Patches, & Fucking Tro (Score:2)
Oh, you shouldn't hoist yourself that far above the rim of the foxhole, you're such a tempting target...
By the way, the answer to your question is that there are several operating systems that let you fix problems without bringing the whole machine to its knees. My very first OS, IBM System/360 MVT, let you change all sorts of stuff "on the fly," including supvervisor call modules -- all you needed to do was down the services affecting the change. Most of the reboots were due to running critical utilities that required that OS MVT be shut down completely to performanc regular maintanence, such as -- wait for it -- disk pack defragmentation.
There were a number of embedded systems in which the majority of the services were disk-resident, being loaded and run on request or on demand, depending on the complexity of the system. Even device drivers (except the hard disk and the console) were loadable modules.
Which leads to the answer that most of you were expecting, but were wondering when I would get to it. Linux has moved to loadable modules for many, many kernel functions, and I expect that the trend will continue rather than abate. The original move to kernel modules was to relieve the strain of building very, very large monolithic kernels for workstation and server environments. The current trend is to let package distributors include everything under the sun, and let the user (or the system, when it is smart enough) load the right module on demand.
I look forward to the day when the only thing that is part of the base kernel is...the console and the disk driver.
Call it what it is, a Microsoft Virus (Score:1)
All it takes is to run vbscript in a sandbox!!! Don't divert the blame for this thing from the root cause.
Embedded files in the PDF (Score:2, Informative)
- have an immediately viewable, printable representation of any archived document, accessible to whoever we want it to be over the web, and
- have almost instant access to the native application files that created the document, in case a file must be modified or updated. Like the Pagemaker file, graphic images and fonts.
The feature really functions not much differently than, say, using WinZip to compress files into an self-extracting archive. Decompress anBut really, it shouldn't be that difficult for Adobe to put a little option on the feature to disable vbs access, should it? As far as I can tell, there's absolutely no vbs out there that should need a viewable, printable PDF mother file.
Don't try to figure this out!!! (Score:2)
I say, if this threat is real, let Adobe wallow in it until they rot: At least ten times as long as the innocent victims [slashdot.org] they try to fuck over.
--SC
Some thoughts... (Score:2, Interesting)
If pdf's are supposed to be cross-platform and portable, then wtf are they putting executable code in them?
Isn't the whole idea of using pdf's to avoid using word documents and the associated risks?
And doesn't the article say "including everything from the VBScript programs--used in the LoveLetter virus--to an actual executable program"? Doesn't that mean that it's not a VBS issue, rather the design of Acrobat?
Right, nothing for it but to let adobe know your thoughts. email adobe with product improvement suggestions! [adobe.com] - like remove the ability to include executables. If Adobe don't do something about this, then they have lost their competitive advantage as a document format.
Re:Some thoughts... (Score:1)
I send you this pdf... (Score:5, Funny)
Related CNet Story (Score:4, Informative)
From the support desk (Score:3, Funny)
Please ignore anything we may have said about 'Safe file attachments'. In fact, do not open any of your e-mails, ever again, and, to be safe, just stay in bed.
Thanks
Re:From the support desk (Score:3, Funny)
Bah (Score:2, Troll)
However if there is a PDF virus it'll probably just take advantage of a buffer overflow problem in the Windows version of Acrobat Reader. Use Linux (and use Python) and you should have no problem.
Re:Bah (Score:2)
(gulp) This should raise some concern, no?
Use Linux (and use Python) and you should have no problem
wheh! I got worried there for a second...I can already see the hords of people downloading the latest distro's to avoid a potential
Postscript is a complete language (Score:4, Interesting)
But make no mistake - it would not be hard to define an extension which allows PS functions to call native libraries. This is the type of extension that could be easily added to support some purpose, without consideration of how this will increase the risk of a viral load.
Finally, to ask the obvious question of why you would do extensive programming in PS, the reason is simple - it allows your file to adjust itself to the printer. E.g., you might have a file which contains meteorological information on a map. If you print the file on a standard printer you get two dozen reports. But if you print it on a large format printer, you get 4x as much information because the file knows it can push additional information onto the map. Or you might get basic information on a monochrome printer, and additional information on a color printer where you can provide visual distinction between the layers.
In some limited cases, you can even have the PS file compute its own content. I've seen that done with some fractal graphics - you might send a <1k file which causes the printer to sit and think for an hour. Great stuff for confusing MCSEs - the print queue says it's printing a 1k file, but it's been churning away for looooon time.
Re:Postscript is a complete language (Score:2, Interesting)
Lack of I/O facilities means you couldn't create a postscript file that could replicate, but you could still potentially cause a bit of havoc. For example, create a postscript file that uses the random number generator to either print an amusing poster (99.9% of the time) or print several pages of dirty pictures (0.1% of the time). People will print the amusing document, send the file to all their friends, and eventually someone will get into trouble.
Postscript virus (Score:2)
Actually, yes. About ten years ago there was a postscript virus that Did Things to printers. I forget how it worked (it was 10 years ago) and, IIRC, it wasn't very dangerous. Spread through .ps files that accompanied some shareware as I recall.
Re:Postscript virus (Score:4, Insightful)
There's some info about it here. Was apparantly quite nasty on some hardware, as it changed a password that required an EPROM replacement to correct. This might have been more a "trojan" than a "virus", as I didn't find any references to it spreading itself (just that it could be a payload in clipart or other EPS files).
http://catless.ncl.ac.uk/Risks/10.32.html#subj1 [ncl.ac.uk]
ftp://ftp.minolta-qms.com/pub/cts/out_going/dos/p
http://www.sevenlocks.com/password/pspass.txt [sevenlocks.com]
I thought that there was also something a few years ago where viewing a postscript file could alter files on your local machine (buffer overflow in a particular viewer program, unsafe default security settings, or something). However I couldn't find any information, so I might be mis-remembering.
Re:Postscript virus (Score:1)
Also, look at www.this.net/~frank for a description of ``Akira'' a project to study and provide a solution for that sort of thing.
NeXT did provide an option to turn off the public windowserver though, as well as to run
William
adobe strikes again (Score:3, Insightful)
I noticed this:
"But Adobe doesn't currently plan to prevent VBScript or other files from running."
And the first thing that comes to mind is "gosh, what a totally stupid policy." All they have to do is NOT pass executable data to the script software...
Who even needs a way to execute scripts OF ANY KIND in a
On another closely related hand, Isn't it great that we can get Outlook macroviruses with out even opening the attachent in outlook? Just think of the thousands of stupid office workers who are going to start spreading macroviruses without even realizing it... Teaching them not to use attachments in OUTLOOK has been hard enough.. to cope with Acrobat as well?! Damn near impossible....
*sigh*
...and whoever cracked this virus is heading to ja (Score:2)
The password for changing the security options of the PDF file is "OUTLOOK.PDFWorm"
So somebody's cracked the PDF format, and is now distributing a method of circumventing copy protection on a popular document. This is, of course, a federal crime under the DMCA. I'd advise whichever security expert figured this password out to flee to the safety of Russia immediately.
Re:...and whoever cracked this virus is heading to (Score:1)
What this means is that virus scanners will now need to "reach inside" PDFs to scan encapsulated files. But what -- as I'm sure our Russian friend Dmitri would ask -- if the PDF is encrypted? Wouldn't the virus checker have to defeat the encryption to see the encapsulated file? And would it be an illegal "circumvention" mechanism if it did?
--Brett Glass
I think Brett raises a very good point here.
Only in Acrobat (Score:2, Insightful)
Not worried (Score:4, Informative)
I don't own Acrobat, and I never will. I have other ways of creating PDFs which are cheaper. Most people don't have Acrobat. Most never will. This virus, thus, can't get far.
I worry (Score:2)
Re:Not worried (Score:1)
It's nice to be able to produce the things from a Java Servlet dynamically.
Re:Not worried (Score:2)
Re:Not worried (Score:2)
Of course, I believe everything will be stroked this way (instead of using postscipts built in fonts and positioning), and the file could get kindof big, but it does work. I'm doing this with my resume at the moment.
Re:Not worried (Score:2, Informative)
Ghostscrip can create PDF files, and is availabe for Windows and Unix. I believe Word Perfect 2000 also had export to PDF abilities. (To create a pdf file with ghostscrip in Windows, you first need a PostScript file. You can create one by installing a PostScript printer driver and configuring to to print to disk.)
Re:Not worried (Score:2, Informative)
On UNIX or Linux, generating a
Sort of... (Score:1)
I have downloaded numerous postscript files over the years and it always amazed me that even though I had a substantial installed base of Type 1 fonts, they were not being used whenever I converted a
The
\usepackage{ae}
in the top-level tex file. Perhaps one of the strangest things I have ever seen is that this line:
\usepackage[T1]{fontenc}
paradoxically is an instruction to NOT use T1 fonts when creating the postscript doc! The "ae" package includes the so-called "almost European" font set which is freely available. In contrast, there is quite a bit of tex documentation coming from Eurpope where the "ECM" fonts are used. As far as I can tell, there are no freely available Type 1 fonts for ECM. Most linux systems will have ecm fonts, but as Type 3 only (thus the crappy on-screen quality). The "ae" fonts are a reasonable facsimile of the ecm fonts and they are freely available. HTH
Re:Sort of... (Score:1)
Re:Not worried (Score:4, Interesting)
Re:Not worried (Score:2)
Re:Not worried (Score:2)
Just go to Adobe's web site and downloaded their print to PDF software. They used to have a MacOS version (which is what I use), but it seems to be gone. They do seem to still have a Windows version (PDF writer, irrc)
All readers should run in jails (Score:2)
Bugtraq advisories (Score:2)
Karma (Score:4, Funny)
Ever thought anti-virus people make viruses? (Score:2)
"Right now it's considered to be a low risk because we haven't seen it reported to us from a customer," Network Associates' Gullotto said.
OK, so how did you guys get it? Must have been internal then.. anyway, my conspiracy theory.
JOhn
Why use Acrobat anyway? (Score:2, Interesting)
Then we come to the windows users hmm... good question. If you print to file in windows, doesn't that become a postscript too? And there probably is a port of 'ps2pdf' for windows, and if not I doubt it would be too hard to do that, or maybe there is a similar software. Anyway, it CAN be done obviously...
-Hans
Just like MS (not a troll!) (Score:2)
To prevent Peachy from being able to run, "the change we would have to make is not to allow VBScript attachments. That is a problem for a lot of our customers," she said. "If they change their opinion, we will do what they want."
According to many ./ers, this is exactly Microsoft's opinion, and the very problem that has opened the door to the worst virii on the Internet: The company is writing software with features that their customers want--no matter if they pose security risks or not.
Typical customers want their email client to open attachments for them. Typical customers want Acrobat to be able to process VBScript (according to Adobe). Unfortunately, typical customers don't want to be raped by script kiddies and haX0rz either--but they don't seem to be willing to sacrifice their features for it.
Where is the balance?
--SC
Apply the same arguments to other areas of safety (Score:5, Insightful)
Where is the balance?
This is a remarkably easy question to answer if you substitute another area of safety people, even clueless Microsoft users, can understand.
Allow me to paraphrase:
Obviously, if the industry cannot police itself, and the free market doesn't yield acceptable results, government regulation is the only reasonable recourse (libertarian knee-jerk reactions aside). In the case of aircraft the FAA has stepped in, and while their are alot of regulations, as a pilot I can say the vast majority of them are reasonable and do a great deal of good.
Think the aircraft example is too dramatic? Then substitute something else, such as an automobile, a building, or even a child's toy. All of these things have features people would want if they could have them but are incompatible with safety (think seat-belts, firecodes, chilren choking, etc.). In each case the manufacturers were incapable of properly policing themselves and government ended up having to step in (safety codes, building codes, mandatory testing procedures, etc.).
Microsoft has demonstrated its incompetence to such an extreme that fissionable nuclear materials may well have been misplaced as a direct and demonstrable result of poor quality control in their software. They make no apology for this, blaming instead the victims of their own incompetence (their customers) and claiming it is what their customers want (I would beg to differ). Clearly the industry is not policing itself properly, nor, based on the market share Microsoft currently enjoys, is the free market yielding acceptable results. Similar arguments apply to Adobe, its fraudulantly incompetent copy protection for eBooks and its virus-facilitating PDF file format.
I know it is a profoundly unpopular idea (and I'm not terribly thrilled with the notion myself), but perhaps it is time for some basic standards of quality and security to be imposed through some form of regulation. The alternative seems to be more of the same, which is clearly not acceptable.
Re:Apply the same arguments to other areas of safe (Score:1)
I know it is a profoundly unpopular idea (and I'm not terribly thrilled with the notion myself), but perhaps it is time for some basic standards of quality and security to be imposed through some form of regulation. The alternative seems to be more of the same, which is clearly not acceptable.
You know, I would actually have to say I'm starting to agree with this view. I think it is time for consumers to work with governments to form suitable regulation for the greater good of society. The development of open formats and software would go a long way to support this. I can't see it happening in the US any time soon though, MSFT is paying too much tax!
Re:Apply the same arguments to other areas of safe (Score:2)
The federal government should regulate areas where there is a potential for irrecoverable loss i.e. life or limb. Market forces don't play well there because nothing can compensate for those losses. Computer virii are a whole different beast. The most a computer virus can do is cause loss of data or money. Something market forces are perfectly capable of dealing with and something which government should stay far away from.
And just because market forces don't seem to work in the direction YOU like it, doesn't mean they don't work at all.
The argument about the loss of fissionable nuclear material is a strawman. Every piece of software has bugs in it and depending on the purpose you use it for, those bugs can have harmful consequences.
Your ad homonim foolishness aside (Score:2)
The most a computer virus can do is cause loss of data or money.
Tell that to the patients who died as a result of a "bug" in the software which was controlling the radiation therepy equipment used in the treatment of their cancer that erroneously delivered a lethal dose.
Tell that to the aircraft pilots which had their passenger jet flip upside down due to a bug in their computerized autopilot (thankfully the plane was empty and they were able to recover
Computers, and information, have real-world effects which can and do affect, even destroy, real, physical lives, and viruses are as capable of destroying lives as "bugs."
Something market forces are perfectly capable of dealing with and something which government should stay far away from.
Ever heard of the SEC? FTC? Even the markets themselves, which you seem to so laude as a panacea, require rather detailed and ongoing government intervention in order to function at all.
Other holes in this argument abound, including the fact that, in the United States at least, money is required to obtain even nominal medical care, not to mention food and other basics. Destroying one's livelihood is often tantamount to destroying lives
The argument about the loss of fissionable nuclear material is a strawman.
No, it isn't. It is a verifiable, and verified, event which resulted from extreme incompetence and negligence on Microsoft's part, exacerbated by their indefensible unwillingness to acknowledge, much less take responsiblity for, their own product's shortcomings. Furthermore, it is a perfect example of how information and its destruction can, in fact, potentially endanger millions of lives, and why government regulation requiring certain minimum standards in quality control and security are not at all unreasonable.
Indeed, you rebut your own point in the next sentence you write:
"Every piece of software has bugs in it and depending on the purpose you use it for, those bugs can have harmful consequences."
... which is why we have safety regulations for everything from medical equipment to aircraft to automobiles to elevators, because those bugs can have harmful consequences, whether they are bugs in software, firmware, or hardware. And why minimum standards for software quality and security aren't so unreasonable after all.
Re:Safety Regulations for Software (Score:1)
This would be based on the principle that with source code the user could check (or get another independent 3rd parties to check) the software themselves whereas a user is unable to similarly verify binary distributions
In such a way regulation could work in favour of the open source movement
Flaw in your argument (Score:3, Insightful)
That is difficult to say (who can quantify how many potential virus writers are deterred by threat of jailtime? Greater than zero alsmost certainly. Greater than a hundred, a thousand, a million? We really don't know.) However, once again an example from the physical world makes the issue rather clear:
"So you're proposing more regulation as the answer? I see a serious flaw in this reasoning. Government regulation and laws are already in place to punish those who commit acts of arson."
Clearly fire codes were necessary to prevent disasters such as the Chicago fire (which wiped out the entire city in the 19th century and is believed to have been started not by an arsonist, but by simple accident). Laws which punish crimes are often not sufficient to protect the public from negligence on the part of product manufacturers, or even negligence on the part of consumers.
Consider the Ford Pinto, which was prone to explode (violently) when rear-ended. Ramming a Ford Pinto from behind, even by accident, is illegal. Nevertheless that was insufficient to prevent accident which resulted in numerous fiery explosions and needless deaths, nor was it sufficient to get Ford Motor Company to change a design they knew was flawed to begin with. Lawsuits and, yes, additional government regulation were necessary to bring public safety up to an acceptable level. The Free Market and outlawing actions which exacerbated the unsafe conditions which the manufacturers negligence had left in place were very obviously not enough.
So too does it appear to be with software. Some minimal level of security needs to be required. If the industry cannot police itself and the free market isn't up to the task of weeding out the negligent (and both certainly appear to be the case here), then government regulation for the common good is not at all unreasonable.
Of course, as with any act of government, such regulation has the potential to be more harmful than good, but it also has the potential to be more good than harmful (as with, for example, building codes in most cities and FAA regulations). It is incumbant on us as software engineers and Free Software advocates to be out in force, involved in creating any such regulations, such that they are helpful to the industry (and the industry must, by definition, include Free Software) and not detrimental.
I guarantee if we're not, someone else will step up to the plate. Indeed, with the FBI outages and attacks on the White House I'm surprise this process hasn't begun already.
Re:Flaw in your argument (Score:2)
Your words are prophetic.
We here all know that Microsoft releases swiss cheese software. They put the blame on 'hackers' and the sheeple eat it up. But they now have the answer with their phone-home software. The will now start claiming that security holes all come from unofficial software.
Look for M$ to start lobbying for all software to be government regulated. This will basically wipe out Open Source, shareware, and the small time coders, all in one fell swoop.
You make an interesting point (Score:2)
This is an interesting, and valid, point. It would not be at all farfetched for Microsoft to be deliberately negligent in its security, then use a regulatory body and its own involvement in the regulatory process to undermine the ability of smaller upstarts to compete, perhaps even make it impossible for Free Software to become "licensed" at all.
A frightening thought. I fear, however, that simply wishing the government would stay away won't suffice, so I suspect we'll want to be very involved in whatever process does emerge, and it is IMHO almost certain something will emerge from these debacles. It would behoove us to be proactive in making sure whatever form any involvement by our government takes is conducive to the creative freedom and technical progress which Free Software makes possible, lest we all be subjected to Microsoft's notion of "freedom to innovate," which in truth has little to do with freedom or innovation.
PDF Virus a *Proof of Concept*, not a real threat (Score:3, Interesting)
The social engineering, however, is pretty amazing. The author has created a neat little PDF "game" that people will want to double-click. And, as he wrote in the text file linked above, he wrote it as a proof of concept. The worm doesn't do much except spread itself using Outlook. I think the scary part, the point the author wanted to make, is that you can embed all sorts of fun things in a PDF file. Some other virus writer could make a new version that does something nasty after it emails itself to every address it can find in your Outlook folders.
Yes, the threat level is low, due to the required combination of software and social engineering. But just because the combination of software is rare doesn't mean that we should disregard the possibility.
Now for a display of massive ignorance: I wonder what a PDF virus could do on a system whose GUI is based on PDF (Mac OS X)?
Re:PDF Virus a *Proof of Concept*, not a real thre (Score:3, Insightful)
I think we're going to come to the point where *any* embeddable-type document is going to be prone to infestation. We're almost there. We just need to add
Do they WANT virii? (Score:5, Insightful)
Adobe said any popular software becomes a target for security attacks and Acrobat has crossed that threshold.
I'm convinced that software companies now WANT viruses to run on their software, because it "proves" the software is popular. If I were Adobe, I would distance myself from the virus by saying "PDF's can now carry VBScript viruses, but VBScript is still broken with respect to security, so blame Microsoft for any viruses!" After all, the problem is with the fact that VBScript can't be trusted, not with any inherent security problem in Acrobat.
Instead, Adobe seems to WANT to associate their software with the viruses, because Microsoft has conditioned the media into thinking that having a virus have its way with your software proves that you're the Market Share Leader.
After all, if nobody writes viruses for, say, UNIX platforms, it must mean that they aren't as popular!
Re:Do they WANT virii? (Score:2)
If they can convince enough people that pdf is too dangerous, then they may be able to switch them over to the ebook standard. Because that's safer.
It is likely to be a long time before I trust adobe to do anything honorable. It's likely to be a long time before I trust them again for anything. I think a partial requirement would be a total change in upper management. And that wouldn't be sufficient. That's just necessary.
actually no (Score:1, Flamebait)
according to your logic, the plural of bus should be bui, but we all know it's actually buses
and the plural of Gus, should be Gui, but know what a GUI is, and the plural of Gus' should be Gus' kids.
Who's the dickwad now?
Re:here ya go, ya goofballs (Score:1)
Re:here ya go, ya goofballs (Score:1)
There isn't a Latin plural form of "virus", so "viruses" it is!
Follow the link in the parent post. This is really true!
Viruses or Virii, it's all the same (Score:2, Informative)
Re:Do they WANT virii^H^Huses? (Score:2)
Ultimately, it's the user's job to make sure his system doesn't get hosed. But, since most users can't tell a good VBscript from a bad one, It's the job of the operating system (or failing that, the scripting languages' interpreter) to make sure scripts can't do anything malicious when accessed in normal mode. Since Windows and VBScript doesn't do this, I consider them broken.
If PDF allows mailicious script to run, it is PDF that is broken.
So Acrobat Reader should analyze VBScript and be able to tell us when an attachment is about to hose the system? In that case, why not build that functionality into Windows or VBScript? Then they wouldn't be broken.
Re:Do they WANT virii^H^Huses? (Score:2)
Re:Do they WANT virii? (Score:2, Insightful)
The fault lies somewhere between the two, but a little closer to VBScript:
The VBScript engine being used by the PDF interpreter should provide a sandbox in which untrusted scripts (e.g., scripts embedded in PDF email attachments) can be run.
Having a script interpreter (or a virtual machine) support different access permissions for different classes of apps (signed and trusted, unsigned, etc.) is exactly akin to having an operating system support different access permissions for different users.
This is how (and why) Java's security manager works for things like applets.
Has Slashdot declared war on Adobe ? (Score:2)
This article is not new and PDF files are vulnerable if you launch an embedded attachment, but then again so are MS Word, etc etc.
All this shows is that if you go looking for something bad then you are going to find it if you look hard enough, and i think the skylarov case means everyone would like to 'get' adobe
(im not commenting on the merits of the case - but i will say that i think both parties are at fault, skylarov for cracking a proprietry format and adobe for over reacting in a big way - the thing is the PDF format IS proprietary - you need adobe software to make it and view it there fore they have the right to protect their copy right but i think they way they and the US gov went about it is heavy handed and stupid - this guy is not some desperate hacker)
But the thing is the medias coverage of non threats like this, minor threats to the home user like code red and things like good times, michelangelo, hackers defacing web pages etc etc and blowing these said events up to be the end of the world as we know it builds hysteria in the general populace who then call for the govt to crack down on these 'terrorists' - thus they carry out heavy handed actions.
If we all dont watch out we are in for a nother McCarthy like era but instead of reds under beds we will have hackers under the table!!
Re:Adobe legal defense (Score:3, Interesting)
Quite the opposite. When writing a PDF virus you're not reverse engineering or circunventing anything. However, if there's a virus in an e-book, you can't study it because then you'd be violating the DMCA and the virus writer can sue you and have you put in jail. Cool isn't it?
Re:Adobe legal defense (Score:4, Interesting)
Me? Cynical?
Re:Adobe legal defense (Score:2)
Re:Adobe legal defense (Score:2)
I've got no problem with them sharing the source code, hell, I think it's a good thing. I'm just suprised an virus writer would do it.
Actually, PDF was designed for viewing (Score:3, Informative)
While you are correct in stating that adding VBscript and other such extensions to PDF is stupid, the PDF format was explicity designed with the idea of users being able to view documents in addition to printing them.
PDF was designed as a method for users to share documents without requiring them to all have the software that created the documents. They took a subset of the postscript language and modified it to improve portability (such as font handling), remove some of the printer-specific bits of Postscript, and add features that may be desirable for portable documents (like encryption, for-handling, etc). Yes, the ability to print it correctly was important, but so was on-screen viewing.
That they did a piss-poor job of on-screen previewing (as anyone that uses bitmap fonts in TeX will attest to) in Acrobat notwithstanding, they design it for both viewing and printing.