Right, but do the AV vendors recognize an encrypted/password-protected PDF -
like the would/could a compressed archive (ZIP, etc) ?
I haven't seen any that can. I'm using Symantec 9, and I'd be interested to
know if anyone is using a competitor that addresses this issue directly.
Thanks,
On 4/26/05, Randall M <randallm@fidmail.com> wrote:
Just my 2cents worth. About the only defense is using programs such as
MailSecurity to block and alert when anything is encrypted or password
protected.
thank you
Randall M
"If we ever forget that we're one nation under God, then we will be a
nation gone under."
- Ronald Reagan
_________________________________
------------------------------
*From:* full-disclosure-bounces@lists.grok.org.uk [mailto:
full-disclosure-bounces@lists.grok.org.uk] *On Behalf Of *Micheal Espinola
Jr
*Sent:* Tuesday, April 26, 2005 11:56 AM
*To:* Full Disclosure
*Subject:* [Full-disclosure] Re: email attack vector just got wider
an update:
My latest finding is that Adobe PDF's with embedded attachments can be
bundled and distributed as a Secure Electronic Envelope (eEnvelope).
eEnvelopes are designed to protect documents in transit with the use of
encryption.
Password protected .ZIP's are typically addressed at the SMTP gateway by
AV software with the option to strip or reject compressed file attachments
that are not readily scan-able (due to the password protection, etc).
Although Adobe recommends enabling scanning all file types in order to
scan a PDF (and ass/u/me'ing its embedded contents as well), an AV scanner
is not currently going to be able to scan this encrypted content until the
content has been rendered/unencrypted at the desktop.
While many AV vendors have factored certain compressed archive standards
into their products, I have seen no indication that this is being addressed
for this relatively new and already widely deployed product.
Call me a worry-wort, but I foresee this is the next "in" for malware
distribution.
On 4/25/05, Micheal Espinola Jr <michealespinola@gmail.com> wrote:
Perhaps not "just". My apologies for those that are aware of this, but
it seems Adobe 6 also had this capability - although many people have
been unaware of this. I recently upgrade from 5 to 7, so I missed this
potential issue from the get-go.
Someone pointed out to me that Symantec does have a bulletin stating
that by setting your AV to "scan all files" you can detect a virus inside a
file embedded into a PDF.
Unfortunately, this does not address the blocking of certain
attachments outright.
On 4/25/05, Micheal Espinola Jr <michealespinola@gmail.com > wrote:
It seems most people I know haven't noticed that the new version of
Adobe Acrobat (7) now allows for embedded/attached documents.
Since PDF's have generally been considered a safe document format and
are typically not blocked by content/attachment scanners, this now opens
an
email-based attack vector that anti-virus providers [to the best of my
knowledge] are not currently addressing.
Many thanks to Adobe for creating another issue for us to deal with,
and especially for not having the forethought to coordinate with
anti-virus
vendors to prepare for assuredly future exploitation of the technology.
--
ME2
my home: <http://www.santeriasys.net/>
my photos: < http://mespinola.blogspot.com/>
--
ME2
my home: < http://www.santeriasys.net/>
my photos: < http://mespinola.blogspot.com/>
--
ME2
my home: <http://www.santeriasys.net/>
my photos: <http://mespinola.blogspot.com/>
--
ME2 <http://www.santeriasys.net/>
photography: <http://mespinola.blogspot.com/>
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
