[Dshield] PDFs and Preview in Mac OS X 10.5--Official Guidance?

Joel Esler eslerj at gmail.com
Thu Mar 26 13:52:48 GMT 2009


I have talked to "certain entities" that I will not disclose, that tell me
there are not security issues in the PDF rendering engine in OSX.  As John
said, this is a crash (DOS) bug, but there are no security implications.
J

On Wed, Mar 25, 2009 at 9:35 PM, Jon Kibler <Jon.Kibler at aset.com> wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Michael wrote:
> > Hi,
> >
> > I am writing concerning the recent security problems with PDF files
> > (JBIG2 buffer overflows).  I did see a post at the SANS Internet Storm
> > Center (http://isc.sans.org/diary.html?storyidY32) that sort of
> > hinted that the problem might exist for MacOS X 10.5 Preview, but I am
> > wondering if anything has been issued as official guidance for persons
> > running OS X (in my case, Leopard, specifically) in terms of a
> > mitigation, fix, or workaround.  I do note that Apple released a
> > security update in mid February 2009, but further perusal of that
> > document (
> http://lists.apple.com/archives/security-announce/2009/Feb/msg00000.html
> > ) doesn't mention anything to do with PDFs.
> >
> > I can't avoid PDFs forever.  Are there any mitigations, advisories or
> > good alternative PDF readers for Mac?
> >
> > Michael
>
> Michael,
>
> I actually sent a detailed analysis of the MacOS PDF issue to Apple.
>
> Since only Acrobat Reader supports JavaScript (at least of the major PDF
> apps that run on the Mac), the worst that will happen is that Finder,
> Preview, or whatever will crash. Also, there is a patched Acrobat for Mac.
>
> Bottom line: Is not a security issue per se, but can cause S/W to crash.
> Also, until you have a patch, don't put PDFs on your desktop.
>
> One final point... if you do have a bad PDF crash an app, restart MacOS.
> In testing, I was able to crash MacOS after repeated PDF crashes under a
> specific set of circumstances I will not disclose. However, a simple
> reboot seems to avoid that issue.
>
> Jon
> - --
> Jon R. Kibler
> Chief Technical Officer
> Advanced Systems Engineering Technology, Inc.
> Charleston, SC  USA
> o: 843-849-8214
> c: 843-224-2494
> s: 843-564-4224
> http://www.linkedin.com/in/jonrkibler
>
> My PGP Fingerprint is:
> BAA2 1F2C 5543 5D25 4636 A392 515C 5045 CF39 4253
>
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.8 (Darwin)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
>
> iEYEARECAAYFAknK2+gACgkQUVxQRc85QlOe3ACdFePL7CLICcWMUzrTHv42CYQk
> oHkAn0oICuJn1O50Rt89x/6IESdfKZy8
> ÓCV
> -----END PGP SIGNATURE-----
> _______________________________________________
> Dshield mailing list
> Dshield at lists.sans.org
> To change your subscription options (or unsubscribe), see:
> https://lists.sans.org/mailman/listinfo/list
>



-- 
Joel Esler
T: 302-223-5974 (-) Gtalk: jesler at sourcefire.com
[m]
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.sans.org/pipermail/list/attachments/20090326/2418beeb/attachment.htm 


More information about the Dshield mailing list