Checkpoint reports PDF vulnerability. Is SumatraPDF affected?


#1

Here

NTLM Credentials Theft via PDF Files April 26, 2018

Checkpoint says that all PDF viewers are affected by this issue. Are they right or are they over-stating things? Is Sumatra vulnerable? Thank you.


#2

The Check Point researcher told Bleeping Computer that he only field-tested the attack on Adobe Acrobat and FoxIT Reader.

Note unlike these two products SumatraPDF DOES NOT run Java Script and is thus less vunerable to exploits, having said that this PoC uses a different vector specifically AutoAction which I think are not processed by SumatraPDF or its MuPdf engine (one reason to use its lightweight simplicity rather than "Flash"y readers)

There is always the posibility that a PDF can carry malicious code much the same as plain text can it is the unwary user (without security controls in place) that clicks on anything that may be compromised. Much as I have on occasion :slight_smile:


#3

From description I don’t believe Sumatra is affected.

They don’t claim that Sumatra specifically is affected. They say “all” but unless they specifically test Sumatra let’s call it at least a white lite. Their business is selling software that supposedly protects against that so they have a vested interest to exaggerate.


#4

Agreed about the vested interest. That’s why I asked.


#5

Excuse me?
Opening a .pdf with an external application is one thing, opening a text file with notepad is another thing.
You can’t compare these things.
How can an unwary user get infected by plain text malicious code with Notepad?
Unless he copy pastes a malicious link to his browser or ACCIDENTALLY changing the .txt to a .bat or something, LOL.


#6

Veering slightly off topic so will keep it brief
this exploit depends on automatic action by the insecure application e.g. Adobe or Foxit readers

I did not claim notepad can be compromised (thats for others to disprove) however it does have at least one known automatic action (i.e invokes the date if it starts with .LOG)
SumatraPDF will create (has the intended feature) to build hyperlinks from plain text (e.g. a .txt file) and as far as I know does not action automatic directives (also does not support embeded java, flash, xfa, 3D nor support other actions such as forms) often raised as “wanted” features

NOT SumatraPDF related I have in the past seen that a seemingly .txt file can be a rouge executable such as .bat that using assembly code can modify itself to com/exe, also see historic UUE file format where binaries are sent as 7 bit text files.
In all the later scenarios the user has to open the file and take a secondary action but that’s often the case with many infections.