an update:
My latest finding is that Adobe PDF's with embedded attachments can be
bundled and distributed as a Secure Electronic Envelope (eEnvelope).
eEnvelopes are designed to protect documents in transit with the use of
encryption.
Password protected .ZIP's are typically addressed at the SMTP gateway by AV
software with the option to strip or reject compressed file attachments that
are not readily scan-able (due to the password protection, etc).
Although Adobe recommends enabling scanning all file types in order to scan
a PDF (and ass/u/me'ing its embedded contents as well), an AV scanner is not
currently going to be able to scan this encrypted content until the content
has been rendered/unencrypted at the desktop.
While many AV vendors have factored certain compressed archive standards
into their products, I have seen no indication that this is being addressed
for this relatively new and already widely deployed product.
Call me a worry-wort, but I foresee this is the next "in" for malware
distribution.
On 4/25/05, Micheal Espinola Jr <michealespinola@gmail.com> wrote:
Perhaps not "just". My apologies for those that are aware of this, but it
seems Adobe 6 also had this capability - although many people have been
unaware of this. I recently upgrade from 5 to 7, so I missed this potential
issue from the get-go.
Someone pointed out to me that Symantec does have a bulletin stating that
by setting your AV to "scan all files" you can detect a virus inside a file
embedded into a PDF.
Unfortunately, this does not address the blocking of certain attachments
outright.
On 4/25/05, Micheal Espinola Jr <michealespinola@gmail.com> wrote:
It seems most people I know haven't noticed that the new version of
Adobe Acrobat (7) now allows for embedded/attached documents.
Since PDF's have generally been considered a safe document format and
are typically not blocked by content/attachment scanners, this now opens an
email-based attack vector that anti-virus providers [to the best of my
knowledge] are not currently addressing.
Many thanks to Adobe for creating another issue for us to deal with,
and especially for not having the forethought to coordinate with anti-virus
vendors to prepare for assuredly future exploitation of the technology.
--
ME2
my home: <http://www.santeriasys.net/>
my photos: < http://mespinola.blogspot.com/>
--
ME2
my home: <http://www.santeriasys.net/>
my photos: < http://mespinola.blogspot.com/>
--
ME2
my home: <http://www.santeriasys.net/>
my photos: <http://mespinola.blogspot.com/>
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
