Re: PDF files containing executables?
On Thu, 3 Mar 2016, David B Funk wrote: On Thu, 3 Mar 2016, John Hardin wrote: On Thu, 3 Mar 2016, Dianne Skoll wrote: > However, many legitimate PDF files contain Javascript snippets. > Blocking solely on that basis will lead to many FPs. I'd argue the "legitimate" part of that statement... :) Many editable PDF forms use javascript for input validation, like most of the PDF forms you can download from irs.gov. (I'm not going to get in an argument with you about how "legitimate" the IRS is ;) That's about the only legitimate use I can think of, and surely that can be done by less than a full programming language. Sounds to me like it should be: block any PDF with javascript/flash/java with whitelisted bypass. What sane MTA accepts bare executable attachments from the Internet at large any more? The same policy should apply to PDFs. Don't tell me you've never seen HTML e-mail with embedded javascript? Seen it? Yes. Defang it? Also yes. Some content creators think that e-mail should be a full-fledged HTML page. /me kicks sigmonster... -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- End users want eye candy and the "ooo's and hhh's" experience when reading mail. To them email isn't a tool, but an entertainment form. -- Steve Lake --- 10 days until Albert Einstein's 137th Birthday
Re: PDF files containing executables?
On Thu, 3 Mar 2016, John Hardin wrote: On Thu, 3 Mar 2016, Dianne Skoll wrote: On Thu, 3 Mar 2016 13:03:44 -0800 Marc Perkelwrote: Thanks for the response. I'm in the spam filtering business and I'm wondering what I can use (from the command line?) to detect if a PDF has any kind of script attached that would be executable. that way I might block based on what's embedded in a PDF. There are tools. Google is your friend. However, many legitimate PDF files contain Javascript snippets. Blocking solely on that basis will lead to many FPs. I'd argue the "legitimate" part of that statement... :) Many editable PDF forms use javascript for input validation, like most of the PDF forms you can download from irs.gov. (I'm not going to get in an argument with you about how "legitimate" the IRS is ;) Sounds to me like it should be: block any PDF with javascript/flash/java with whitelisted bypass. What sane MTA accepts bare executable attachments from the Internet at large any more? The same policy should apply to PDFs. Don't tell me you've never seen HTML e-mail with embedded javascript? Some content creators think that e-mail should be a full-fledged HTML page. -- Dave Funk University of Iowa College of Engineering 319/335-5751 FAX: 319/384-0549 1256 Seamans Center Sys_admin/Postmaster/cell_adminIowa City, IA 52242-1527 #include Better is not better, 'standard' is better. B{
Re: PDF files containing executables?
On Thu, 3 Mar 2016, Dianne Skoll wrote: On Thu, 3 Mar 2016 13:27:18 -0800 (PST) John Hardinwrote: [Dianne Skoll] However, many legitimate PDF files contain Javascript snippets. Blocking solely on that basis will lead to many FPs. I'd argue the "legitimate" part of that statement... :) Well, maybe, but I think you'd lose that argument if you had to proved service to the clients we do. Sounds to me like it should be: block any PDF with javascript/flash/java with whitelisted bypass. If we did that, we'd have hundreds of support tickets pouring in... trust me on this. At least wrt Javascript. Not sure about Flash and I had no idea Java could be embedded in PDF... are you sure that's even possible? I didn't think that a pure ".exe" could be embedded in PDF until I ran accross this little gem: http://blog.didierstevens.com/2010/03/29/escape-from-pdf/ (not sure if that vulerability is still there, but people hang onto old systems for a looong time...) -- Dave Funk University of Iowa College of Engineering 319/335-5751 FAX: 319/384-0549 1256 Seamans Center Sys_admin/Postmaster/cell_adminIowa City, IA 52242-1527 #include Better is not better, 'standard' is better. B{
Re: PDF files containing executables?
Am 03.03.2016 um 23:17 schrieb Benny Pedersen: Users should disable javascript or entirely remove software that support stupidity welcome to the real world signature.asc Description: OpenPGP digital signature
Re: PDF files containing executables?
On 3. mar. 2016 21.26.05 Marc Perkelwrote: A customer of mine inquired about executable viruses inside of PDF files. Is that so? And if it is - is there any way of detecting executables inside of PDF? Google harafa You need to understand jit, each pdf file can contain a mta sending spam Users should disable javascript or entirely remove software that support stupidity
Re: PDF files containing executables?
On Thu, 3 Mar 2016, John Hardin wrote: On Thu, 3 Mar 2016, Dianne Skoll wrote: I had no idea Java could be embedded in PDF... are you sure that's even possible? No idea either, I was just including it because it was mentioned upthread, and greater insanities have happened. I'm not finding anything that specifically says Java can be embedded and executed, but PDFs apparently do have the ability to run commands if the user clicks OK in a dialog. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- USMC Rules of Gunfighting #2: Anything worth shooting is worth shooting twice. Ammo is cheap. Your life is expensive. --- 10 days until Albert Einstein's 137th Birthday
Re: PDF files containing executables?
On Thu, 3 Mar 2016, Dianne Skoll wrote: I had no idea Java could be embedded in PDF... are you sure that's even possible? No idea either, I was just including it because it was mentioned upthread, and greater insanities have happened. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- USMC Rules of Gunfighting #2: Anything worth shooting is worth shooting twice. Ammo is cheap. Your life is expensive. --- 10 days until Albert Einstein's 137th Birthday
Re: PDF files containing executables?
On 03/03/16 13:27, John Hardin wrote: On Thu, 3 Mar 2016, Dianne Skoll wrote: On Thu, 3 Mar 2016 13:03:44 -0800 Marc Perkelwrote: Thanks for the response. I'm in the spam filtering business and I'm wondering what I can use (from the command line?) to detect if a PDF has any kind of script attached that would be executable. that way I might block based on what's embedded in a PDF. There are tools. Google is your friend. However, many legitimate PDF files contain Javascript snippets. Blocking solely on that basis will lead to many FPs. I'd argue the "legitimate" part of that statement... :) Sounds to me like it should be: block any PDF with javascript/flash/java with whitelisted bypass. What sane MTA accepts bare executable attachments from the Internet at large any more? The same policy should apply to PDFs. If I could detect java or some other executable inside a PDF then the message would have to be white or near white before I allowed it to pass. -- Marc Perkel - Sales/Support supp...@junkemailfilter.com http://www.junkemailfilter.com Junk Email Filter dot com 415-992-3400
Re: PDF files containing executables?
On Thu, 3 Mar 2016 13:27:18 -0800 (PST) John Hardinwrote: [Dianne Skoll] > > However, many legitimate PDF files contain Javascript snippets. > > Blocking solely on that basis will lead to many FPs. > I'd argue the "legitimate" part of that statement... :) Well, maybe, but I think you'd lose that argument if you had to proved service to the clients we do. > Sounds to me like it should be: block any PDF with > javascript/flash/java with whitelisted bypass. If we did that, we'd have hundreds of support tickets pouring in... trust me on this. At least wrt Javascript. Not sure about Flash and I had no idea Java could be embedded in PDF... are you sure that's even possible? Regards, Dianne.
Re: PDF files containing executables?
On Thu, 3 Mar 2016, Dianne Skoll wrote: On Thu, 3 Mar 2016 13:03:44 -0800 Marc Perkelwrote: Thanks for the response. I'm in the spam filtering business and I'm wondering what I can use (from the command line?) to detect if a PDF has any kind of script attached that would be executable. that way I might block based on what's embedded in a PDF. There are tools. Google is your friend. However, many legitimate PDF files contain Javascript snippets. Blocking solely on that basis will lead to many FPs. I'd argue the "legitimate" part of that statement... :) Sounds to me like it should be: block any PDF with javascript/flash/java with whitelisted bypass. What sane MTA accepts bare executable attachments from the Internet at large any more? The same policy should apply to PDFs. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- USMC Rules of Gunfighting #2: Anything worth shooting is worth shooting twice. Ammo is cheap. Your life is expensive. --- 10 days until Albert Einstein's 137th Birthday
Re: PDF files containing executables?
On 03/03/16 13:15, Dianne Skoll wrote: On Thu, 3 Mar 2016 13:03:44 -0800 Marc Perkelwrote: Thanks for the response. I'm in the spam filtering business and I'm wondering what I can use (from the command line?) to detect if a PDF has any kind of script attached that would be executable. that way I might block based on what's embedded in a PDF. There are tools. Google is your friend. However, many legitimate PDF files contain Javascript snippets. Blocking solely on that basis will lead to many FPs. Regards, Dianne. In that case I'd like to know if there's java in it so that if the message has other risk flags I can block it. -- Marc Perkel - Sales/Support supp...@junkemailfilter.com http://www.junkemailfilter.com Junk Email Filter dot com 415-992-3400
Re: PDF files containing executables?
On Thu, 3 Mar 2016 13:03:44 -0800 Marc Perkelwrote: > Thanks for the response. I'm in the spam filtering business and I'm > wondering what I can use (from the command line?) to detect if a PDF > has any kind of script attached that would be executable. that way I > might block based on what's embedded in a PDF. There are tools. Google is your friend. However, many legitimate PDF files contain Javascript snippets. Blocking solely on that basis will lead to many FPs. Regards, Dianne.
RE: PDF files containing executables?
Not sure about viruses per se, but I know that there have been instances of embedded javascript in .pdf files which have been malicious. Javascript can be turned off in Acrobat preferences. Likely a toggle in other .pdf readers as well. ...Kevin -- Kevin Miller Network/email Administrator, CBJ MIS Dept. 155 South Seward Street Juneau, Alaska 99801 Phone: (907) 586-0242, Fax: (907) 586-4588 Registered Linux User No: 307357 -Original Message- From: Marc Perkel [mailto:supp...@junkemailfilter.com] Sent: Thursday, March 03, 2016 11:26 AM To: users@spamassassin.apache.org Subject: PDF files containing executables? A customer of mine inquired about executable viruses inside of PDF files. Is that so? And if it is - is there any way of detecting executables inside of PDF? -- Marc Perkel - Sales/Support supp...@junkemailfilter.com http://www.junkemailfilter.com Junk Email Filter dot com 415-992-3400
Re: PDF files containing executables?
On 03/03/16 13:02, David B Funk wrote: On Thu, 3 Mar 2016, Marc Perkel wrote: A customer of mine inquired about executable viruses inside of PDF files. Is that so? And if it is - is there any way of detecting executables inside of PDF? I don't know that PDFs can contain classical ".exe" type executables but they can clearly contain 'active content' (javascript, flash, etc) which can be abused as a malware delivery vehicle. So for practical purposes PDFs can be considered potential virus containers. AV scanners have rules for detecting malware inside PDFs but that's always a catch-up game. Hi David, Is there a way to detect any executable code so that I can just block all PDF files with executables. -- Marc Perkel - Sales/Support supp...@junkemailfilter.com http://www.junkemailfilter.com Junk Email Filter dot com 415-992-3400
Re: PDF files containing executables?
> Thanks for the response. I'm in the spam filtering business and I'm wondering > what I can use (from the command line?) to detect if a PDF has any kind of ClamAV? — Matthias
Re: PDF files containing executables?
Hi Kevin, Thanks for the response. I'm in the spam filtering business and I'm wondering what I can use (from the command line?) to detect if a PDF has any kind of script attached that would be executable. that way I might block based on what's embedded in a PDF. On 03/03/16 12:59, Kevin Miller wrote: Not sure about viruses per se, but I know that there have been instances of embedded javascript in .pdf files which have been malicious. Javascript can be turned off in Acrobat preferences. Likely a toggle in other .pdf readers as well. ...Kevin -- Kevin Miller Network/email Administrator, CBJ MIS Dept. 155 South Seward Street Juneau, Alaska 99801 Phone: (907) 586-0242, Fax: (907) 586-4588 Registered Linux User No: 307357 -Original Message- From: Marc Perkel [mailto:supp...@junkemailfilter.com] Sent: Thursday, March 03, 2016 11:26 AM To: users@spamassassin.apache.org Subject: PDF files containing executables? A customer of mine inquired about executable viruses inside of PDF files. Is that so? And if it is - is there any way of detecting executables inside of PDF? -- Marc Perkel - Sales/Support supp...@junkemailfilter.com http://www.junkemailfilter.com Junk Email Filter dot com 415-992-3400 -- Marc Perkel - Sales/Support supp...@junkemailfilter.com http://www.junkemailfilter.com Junk Email Filter dot com 415-992-3400
Re: PDF files containing executables?
On Thu, 3 Mar 2016, Marc Perkel wrote: A customer of mine inquired about executable viruses inside of PDF files. Is that so? And if it is - is there any way of detecting executables inside of PDF? I don't know that PDFs can contain classical ".exe" type executables but they can clearly contain 'active content' (javascript, flash, etc) which can be abused as a malware delivery vehicle. So for practical purposes PDFs can be considered potential virus containers. AV scanners have rules for detecting malware inside PDFs but that's always a catch-up game. -- Dave Funk University of Iowa College of Engineering 319/335-5751 FAX: 319/384-0549 1256 Seamans Center Sys_admin/Postmaster/cell_adminIowa City, IA 52242-1527 #include Better is not better, 'standard' is better. B{
PDF files containing executables?
A customer of mine inquired about executable viruses inside of PDF files. Is that so? And if it is - is there any way of detecting executables inside of PDF? -- Marc Perkel - Sales/Support supp...@junkemailfilter.com http://www.junkemailfilter.com Junk Email Filter dot com 415-992-3400
Re: PDF files containing executables?
Am 03.03.2016 um 21:25 schrieb Marc Perkel: A customer of mine inquired about executable viruses inside of PDF files. Is that so? And if it is - is there any way of detecting executables inside of PDF? when it's a job for clamav signature.asc Description: OpenPGP digital signature