Saturday, 7 December 2013

PDF, Flash, and Java: the Most Dangerous File Types

Dangerous File Types A report just released by AV-Test should be a huge wake-up call for anybody who doesn't pay attention to software updates. After ten years of study, the researchers concluded that security holes in Adobe and Java are responsible for 66 percent of all vulnerabilities actively exploited in Windows.
Modern applications are complex enough that there will always be flaws, and in some cases the flaw can open up a PC to invasion by malware. The vendors patch these flaws as quickly as they can, but their hard work doesn't help if you don't stay up to date. When cybercrooks shoehorn malware onto your PC by taking advantage of such a hole, that's called an exploit.
Aiding and Abetting
The report notes that the browser is complicit in many exploits. A website can query the browser for all sorts of information, like the precise browser version, the operating system, and the version number of add-ins like Flash and Java. This mechanism exists so that sites can tailor the pages they deliver for the best user experience, but it can be misused by malicious sites that target their attacks based on the returned information.
Some exploits target browser vulnerabilities, but even more of them attack through flaws in the processing of specific file types. According to the report, the PDF format is "most frequently used as a malware transporter for vulnerabilities." Click on the image at the top of this article for a list of other dangerous file types.
I was somewhat surprised to fine the ZIP format in line after Java and HTML. Then I remembered that the DOCX and XLSX formats used by Microsoft Office and Excel (which churn through plenty of vulnerabilities) are actually ZIP files. Peek at one using a binary editor and you'll see that the first two characters are PK (for Phil Katz), like any other ZIP file.
Protection Is Available
If you've got Norton Internet Security (2014), Bitdefender Total Security (2014), or another up-to-date security suite, you'll probably never get hit by an exploit, concludes the report. The suite has many opportunities to prevent the attack, starting with blocking the initial JavaScript that tries to get system information. It may also block the PDF, JAR, or other type of file that contains the exploit.
Remember, the exploit itself is just a way to deliver malware. If the suite doesn't block the exploit file, it's very likely to quarantine the delivered malware either immediately or when it tries to launch. And of course, keep all of your software up to date.
Possible Alternatives
PDF-based vulnerabilities are found within Adobe Reader, so using a different PDF viewer such as the free Foxit Reader 5.1 can help. (Note, though, that Foxit Reader has had to patch a few holes of its own).
As for Flash, sites do have to function without it, or flop on iOS devices. The report notes that Mozilla is supporting Shumway, an open-source project that aims to display Flash content using HTML5, with no Flash Player involved.
Java has been so much trouble this year that we've advised people to disable it, at least on a trial basis. The report differs, suggesting that "surfing the web without Java... is virtually impossible," and once again recommending a good security suite. If this topic piques your interest, you'll definitely want to read the full report on the AV-Test website.

No comments:

Post a Comment