AW: [suse-security] Acrobat Reader upgrade to 7.0
...or you use squidGuard to block "remoteapproach.com" CU Robert -----Ursprüngliche Nachricht----- Von: Dr. Reiner Pietrzak [mailto:suse@crasswerk.de] Gesendet: Samstag, 23. Juli 2005 21:25 An: suse-security@suse.com Betreff: Re: [suse-security] Acrobat Reader upgrade to 7.0 Thank you very much for this hint! Am Samstag, den 23.07.2005, 17:51 +0100 schrieb suse@karsites.net:
Acrobat Reader likes to phone home apparently - LOL!
Maybe these people are using AJAX technology also?
full article at: http://lwn.net/Articles/129729/
Linux users may have been pleased to find that Adobe has finally made available a new version of its Acrobat Reader, with accessibility features, a much slicker interface than Acrobat 5.x and new and other spiffy features. However, there are a few other features that Linux users should be aware of.
A company called Remote Approach is promising to alert PDF publishers as to the "reach and use of their materials." We were curious to find out how Remote Approach was going to make good on its promise, given that PDF has largely been seen as a one-way medium. To find out, we created a test account and uploaded a PDF to be "tagged" by Remote Approach, and then downloaded the modified document to see whether Remote Approach could log our use of the document.
Remote Approach's reporting did not work when we viewed the document with Kpdf, Xpdf and Adobe Reader 5.0.10. It also failed using Apple's "Preview" application on Mac OS X. The document was still viewable with no apparent glitch in other PDF readers, but the reporting function did not work.
However, when we opened the file using Adobe Acrobat Reader 7, Remote Approach started logging views from our IP address. After doing a little research, we found that Adobe's Reader was connecting to http://www.remoteapproach.com/remoteapproach/logging.asp each time we opened the document. The information is submitted over port 80 using HTTP, so it is unlikely that a home or office firewall would, in a normal configuration, block the activity, unless the firewall administrator is attempting to block Web browsing.
Apparently, Remote Approach's "tag" to our document included the addition of JavaScript code causing Acrobat to report back to their server; the information reported includes the fact that the document had been read, our IP address, and which viewer it had been read in. (Interestingly, Remote Approach does not seem to recognize the Linux version of Acrobat Reader, as it left the "User Agent" field blank in its reports.)
What about simply disabling javascript? Regards - Reiner Pietrzak -- Check the headers for your unsubscription address For additional commands, e-mail: suse-security-help@suse.com Security-related bug reports go to security@suse.de, not here
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 The Sunday 2005-07-24 at 14:02 +0200, Rasp, Robert wrote:
...or you use squidGuard to block "remoteapproach.com"
But that is not a generalized solution. We'd have to know beforehand to which place would any pdf document try to access without telling us. It'd be more appropriate to block acrobat reader from connecting anywhere whatsoever without our explicit permission. - -- Cheers, Carlos Robinson -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.0 (GNU/Linux) Comment: Made with pgp4pine 1.76 iD8DBQFC440FtTMYHG2NR9URAkUGAJ9zh4+XpOEIGw8X+xkThpZUkyf0JQCghG/E Y9bYvwUHr2GAcDH5CHdgG90= =PHD6 -----END PGP SIGNATURE-----
Am Sonntag, 24. Juli 2005 14:02 schrieb Rasp, Robert:
...or you use squidGuard to block "remoteapproach.com"
... which doesn't necessarily solve the problem, because the url is not hardcoded into acrobat reader, but into the pdf files. so anyone could create a pdf that uses http to download a file from any host anywhere, then (try to) run it... imagine the possibilities... and suse forces acroread7 down users throats as a security update? anyways, disabling javascript is not a viable solution unless you don't mind that acroread asks you to enable it every time you quit acroread... here's what i did: i noticed that the new acroread7 packages that came thru YOU lately have libcurl as a dependency, so i checked which plugins (in /usr/X11R6/lib/Acrobat7/Reader/intellinux/plug_ins) are linked against libcurl. there's only one: EFS.api. so i renamed that one (do not delete, you MIGHT want to be able to re-enable it later if you run into trouble...). on next start, acroread alerts you about trouble registering two more plugins: Annots.api and SOAP.api. so i also renamed those, to get rid of the error messageboxes. Didn't run into any problems due to that (yet). YMMV. DTAYOR. bye, MH
CU Robert
-----Ursprüngliche Nachricht----- Von: Dr. Reiner Pietrzak [mailto:suse@crasswerk.de] Gesendet: Samstag, 23. Juli 2005 21:25 An: suse-security@suse.com Betreff: Re: [suse-security] Acrobat Reader upgrade to 7.0
Thank you very much for this hint!
Am Samstag, den 23.07.2005, 17:51 +0100 schrieb suse@karsites.net:
Acrobat Reader likes to phone home apparently - LOL!
Maybe these people are using AJAX technology also?
full article at: http://lwn.net/Articles/129729/
Linux users may have been pleased to find that Adobe has finally made available a new version of its Acrobat Reader, with accessibility features, a much slicker interface than Acrobat 5.x and new and other spiffy features. However, there are a few other features that Linux users should be aware of.
A company called Remote Approach is promising to alert PDF publishers as to the "reach and use of their materials." We were curious to find out how Remote Approach was going to make good on its promise, given that PDF has largely been seen as a one-way medium. To find out, we created a test account and uploaded a PDF to be "tagged" by Remote Approach, and then downloaded the modified document to see whether Remote Approach could log our use of the document.
Remote Approach's reporting did not work when we viewed the document with Kpdf, Xpdf and Adobe Reader 5.0.10. It also failed using Apple's "Preview" application on Mac OS X. The document was still viewable with no apparent glitch in other PDF readers, but the reporting function did not work.
However, when we opened the file using Adobe Acrobat Reader 7, Remote Approach started logging views from our IP address. After doing a little research, we found that Adobe's Reader was connecting to http://www.remoteapproach.com/remoteapproach/logging.asp each time we opened the document. The information is submitted over port 80 using HTTP, so it is unlikely that a home or office firewall would, in a normal configuration, block the activity, unless the firewall administrator is attempting to block Web browsing.
Apparently, Remote Approach's "tag" to our document included the addition of JavaScript code causing Acrobat to report back to their server; the information reported includes the fact that the document had been read, our IP address, and which viewer it had been read in. (Interestingly, Remote Approach does not seem to recognize the Linux version of Acrobat Reader, as it left the "User Agent" field blank in its reports.)
What about simply disabling javascript?
Regards - Reiner Pietrzak
-- Check the headers for your unsubscription address For additional commands, e-mail: suse-security-help@suse.com Security-related bug reports go to security@suse.de, not here
-- Die unaufgeforderte Zusendung einer Werbemail an Privatleute verstößt gegen §1 UWG und 823 I BGB (Beschluß des LG Berlin vom 2.8.1998 Az: 16 O 201/98). Jede kommerzielle Nutzung der übermittelten persönlichen Daten sowie deren Weitergabe an Dritte ist ausdrücklich untersagt! gpg key fingerprint: 5F64 4C92 9B77 DE37 D184 C5F9 B013 44E7 27BD 763C
Mathias Homann schrieb:
anyways, disabling javascript is not a viable solution unless you don't mind that acroread asks you to enable it every time you quit acroread...
Frank Steiner posted the solution for this just 6 days ago as an answer to the lengthy security-announcement thread that developed last week: | Easy to fix: | cd ~/.adobe/Acrobat/7.0/JavaScripts | rm -f glob.settings.js | ln -s /dev/null glob.settings.js | | And it won't ask akain. though it's also good to remove the plugins... Cheers, Olaf
Am Sonntag, 24. Juli 2005 15:57 schrieb Olaf Kock:
Mathias Homann schrieb:
anyways, disabling javascript is not a viable solution unless you don't mind that acroread asks you to enable it every time you quit acroread...
Frank Steiner posted the solution for this just 6 days ago as an answer
to the lengthy security-announcement thread that developed last week: | Easy to fix: | cd ~/.adobe/Acrobat/7.0/JavaScripts
this is for ONE user.
though it's also good to remove the plugins...
and this does not disable javascript, or disables ALL plugins, but just a few. forms in pdf files should still work this way... bye, MH -- Die unaufgeforderte Zusendung einer Werbemail an Privatleute verstößt gegen §1 UWG und 823 I BGB (Beschluß des LG Berlin vom 2.8.1998 Az: 16 O 201/98). Jede kommerzielle Nutzung der übermittelten persönlichen Daten sowie deren Weitergabe an Dritte ist ausdrücklich untersagt! gpg key fingerprint: 5F64 4C92 9B77 DE37 D184 C5F9 B013 44E7 27BD 763C
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Mathias Homann schrieb:
Easy to fix: cd ~/.adobe/Acrobat/7.0/JavaScripts
this is for ONE user.
Copy the whole directory with you custom settings to /etc/skel and you will get this weird stuff disabled for new users. Depending what arcobat shall be able to do I would try to disable all other unneeded plugins the same way (Don't forget to make a backup of your folder!!!). I remeber somewhere there was a program based iptables software around the net, but I don't remeber the name of it. This would help fixing program related spyware (I thought arcobat would be spyware free, but comes more and more the direction of real player :( ). Philippe - -- Diese Nachricht ist digital signiert und enthält weder Siegel noch Unterschrift! Die unaufgeforderte Zusendung einer Werbemail an Privatleute verstößt gegen §1 UWG und 823 I BGB (Beschluß des LG Berlin vom 2.8.1998 Az: 16 O 201/98). Jede kommerzielle Nutzung der übermittelten persönlichen Daten sowie deren Weitergabe an Dritte ist ausdrücklich untersagt! -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (MingW32) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iQD1AwUBQuQQiUNg1DRVIGjBAQJQ/Qb+JN6uE9gHMc86DA9eYQaemBB7eWZZlq+x 4ys6o+dC5h3IfFm/m3tw00QCklwwPx6XKLQk6GGjrpdBm92Nx4fBVvwKusLvFM/F veVR08yGHk3dPam5+e2RGcl36PGH67Rnh2THXH68IiNRnHkIHz/eZaaY54dQ3pRf QHGNuXFDNu43lnllx1IljDmpqwczFSwxgS5yjOqAHLWWQdk0ujvGXMQiGljlS9Fl 7hRA9A4IJ55fc9bDOKFb64Vgealr54c4+rFAv6O1v5JETNprgVjXhDwEn9xOM8j8 YgbauxoIhTo= =3Jlq -----END PGP SIGNATURE-----
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 The Monday 2005-07-25 at 00:04 +0200, Philippe Vogel wrote:
I remeber somewhere there was a program based iptables software around the net, but I don't remeber the name of it. This would help fixing program related spyware (I thought arcobat would be spyware free, but comes more and more the direction of real player :( ).
This was talked here about last April. Perhaps this can help (firewalling acrobat in local computer): | Date: Sun, 17 Apr 2005 18:52:27 +0200 | From: nordi | To: suse-security@ | Subject: Re: [suse-security] How to block Acroread 7 with SuSE FW2? | X-Message-Number-for-archive: 25138 | | In order to block that traffic you could make the acroread executable | SGID 'acro' and then block all traffic coming from group 'acro'. | Iptables has an option for doing this by using the --gid-owner option. | Of course that works only with a local firewall. - -- Cheers, Carlos Robinson -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.0 (GNU/Linux) Comment: Made with pgp4pine 1.76 iD8DBQFC5DSYtTMYHG2NR9URAheAAJ40/7waVaQtYOXaSJ6iNE7jTYqGdACglicR IzBFX4nDRru//5Xq9qamHHI= =rwVz -----END PGP SIGNATURE-----
participants (5)
-
Carlos E. R.
-
Mathias Homann
-
Olaf Kock
-
Philippe Vogel
-
Rasp, Robert