Re: [Fed-Talk] Fed-talk Digest, Vol 10, Issue 183
Re: [Fed-Talk] Fed-talk Digest, Vol 10, Issue 183
- Subject: Re: [Fed-Talk] Fed-talk Digest, Vol 10, Issue 183
- From: "Miller, Timothy J." <email@hidden>
- Date: Thu, 17 Oct 2013 12:14:38 +0000
- Thread-topic: [Fed-Talk] Fed-talk Digest, Vol 10, Issue 183
The vector is PDF. Adobe's rendered has weaknesses, but similar
weaknesses can arise in anyone who implements the spec.
PDF was originally just a simplified version of Postscript. Postscript is
a full-fledged programming language, and malicious Postscript is known in
the wild (most commonly used to attack printers and printer drivers). The
PDF spec removed a lot of the language features (e.g, control loops), so
for a long time PDF was considered safer than Postscript.
Then Adobe *added the programming language features back*. Much fun has
since ensued.
FWIW, Postscript is classified Cat 2 Mobile Code under DoDI 8552.01, while
PDF was Cat 3. Since 2011 PDF is classed as Cat 2. This categorization
is based on analysis of the PDF specification, not the implantation of any
particular PDF renderer.
PDF/A could probably still be considered Cat 3, but it's probably not safe
to try to make fine-grained distinctions within the PDF specs. How many
people can tell PDF from PDF/A from PDF/X?
-- T
On 10/16/13 3:48 PM, "David Emery" <email@hidden> wrote:
>Is PDF the attack vector, or is Adobe Acrobat? I don't run Adobe Acrobat
>on my Mac, Preview.app does a great job with PDFs (and I don't remember
>any CERT advisory against it.) Adobe is the new Microsoft, with respect
>to vulnerabilities and arrogance associated with them. MS has done a
>very good job over the last 5-10 years tightening up their codebase.
>
>It would be A Good Thing if DOD actually lived up to its Open
>Standards/Open Systems policies and adopted office automation formats
>that are standards and that have undergone appropriate review against
>vulnerabilities as "cargo." WIth respect to word processing, I know
>people whose preferred format for document exchange is RTF. The problem
>with RTF is there's no good definition (i.e. "standard"), but its simple
>mark-up is good for about 99% of what we need for documents.
>
>On a related topic, I think embedded documents in MS Office products are
>inherently evil, as well as buggy.
>
>But part of the problem in your list is confusing server with
>client/desktop. ASP is a server-side mechanism. So is JSP. Securing
>servers is a different proposition (in terms of investment, expertise,
>number of systems, etc, etc) than securing desktops. I'm no fan of 'thin
>clients' in the tactical world (you lose control over bandwidth), but I
>do see the advantage for systems that operate on "advantaged" transport
>(e.g. LANs with fiber connections to the rest of the Internet.)
>
>And I'm definitely old enough to remember computing before Microsoft
>Office. I still prefer mark-up langauges over WSYSIG word processors,
>with a strong preference for Scribe's syntax and dual-inheritance
>semantics. MacDraw worked great for doing presentations, and Excel was
>originally the Mac application Multi-Mate.
>
>With respect to "function[ing] in a modern office," all I can say is I've
>done pretty well over the last 35 years. More significantly, for the
>last 28 of those (excepting 1 year in the Pentagon in 1999-2000) I've
>done all my office automation work on Macs.
>
> dave
>
>On Oct 16, 2013, at 16:24 , "Blumenthal, Uri - 0558 - MITLL"
><email@hidden> wrote:
>
>> On 10/16/13 16:06 , "David Emery" <email@hidden> wrote:
>>
>>> I don't disagree with you on JavaScript, but I think Flash is a lot
>>>worse
>>> :-)
>>
>> Hmm, now I have to agree with you... What's going on? :-)
>>
>>> But you've captured my logic: An application that is a common attack
>>> vector should be avoided, and it's certainly not something I'd include
>>>in
>>> my (informal) Trusted Computing Base.
>>
>> Great! Let's get rid of PDF (huge attack vector), of all the MS Office
>> applications and formats (after all, the [in]famous RSA attack was
>> delivered in an XLSX file), image files (yes, they are vectors, believe
>>or
>> not), Javascript, ASP, etc... Oh, and of Java - but of course... You'd
>>be
>> 100% unable to function in a modern office (unless you're its sole
>> occupant, employee and boss) - but what does that matter when you've
>> eliminated a few of the common attack vectors...?
>>
>
>
> _______________________________________________
>Do not post admin requests to the list. They will be ignored.
>Fed-talk mailing list (email@hidden)
>Help/Unsubscribe/Update your Subscription:
>
>This email sent to email@hidden
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden