lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <acdc033d05042706374cd6fdad@mail.gmail.com>
Date: Wed Apr 27 14:37:14 2005
From: michealespinola at gmail.com (Micheal Espinola Jr)
Subject: Re: email attack vector just got wider

Right, but do the AV vendors recognize an encrypted/password-protected PDF - 
like the would/could a compressed archive (ZIP, etc) ?
 I haven't seen any that can. I'm using Symantec 9, and I'd be interested to 
know if anyone is using a competitor that addresses this issue directly.
 Thanks,

 On 4/26/05, Randall M <randallm@...mail.com> wrote: 
> 
> Just my 2cents worth. About the only defense is using programs such as 
> MailSecurity to block and alert when anything is encrypted or password 
> protected.
>   
> thank you 
> Randall M 
> 
> "If we ever forget that we're one nation under God, then we will be a 
> nation gone under." 
> - Ronald Reagan 
> _________________________________ 
> 
>  
>  ------------------------------
> *From:* full-disclosure-bounces@...ts.grok.org.uk [mailto:
> full-disclosure-bounces@...ts.grok.org.uk] *On Behalf Of *Micheal Espinola 
> Jr
> *Sent:* Tuesday, April 26, 2005 11:56 AM
> *To:* Full Disclosure
> *Subject:* [Full-disclosure] Re: email attack vector just got wider
> 
>   an update:
>  My latest finding is that Adobe PDF's with embedded attachments can be 
> bundled and distributed as a Secure Electronic Envelope (eEnvelope). 
> eEnvelopes are designed to protect documents in transit with the use of 
> encryption. 
>  Password protected .ZIP's are typically addressed at the SMTP gateway by 
> AV software with the option to strip or reject compressed file attachments 
> that are not readily scan-able (due to the password protection, etc). 
>  Although Adobe recommends enabling scanning all file types in order to 
> scan a PDF (and ass/u/me'ing its embedded contents as well), an AV scanner 
> is not currently going to be able to scan this encrypted content until the 
> content has been rendered/unencrypted at the desktop. 
>  While many AV vendors have factored certain compressed archive standards 
> into their products, I have seen no indication that this is being addressed 
> for this relatively new and already widely deployed product.
>  Call me a worry-wort, but I foresee this is the next "in" for malware 
> distribution.
> 
> 
> On 4/25/05, Micheal Espinola Jr <michealespinola@...il.com> wrote: 
> > 
> > Perhaps not "just". My apologies for those that are aware of this, but 
> > it seems Adobe 6 also had this capability - although many people have 
> > been unaware of this. I recently upgrade from 5 to 7, so I missed this 
> > potential issue from the get-go. 
> >  Someone pointed out to me that Symantec does have a bulletin stating 
> > that by setting your AV to "scan all files" you can detect a virus inside a 
> > file embedded into a PDF.
> >  Unfortunately, this does not address the blocking of certain 
> > attachments outright.
> > 
> >  On 4/25/05, Micheal Espinola Jr <michealespinola@...il.com > wrote: 
> > > 
> > > It seems most people I know haven't noticed that the new version of 
> > > Adobe Acrobat (7) now allows for embedded/attached documents.
> > >  Since PDF's have generally been considered a safe document format and 
> > > are typically not blocked by content/attachment scanners, this now opens an 
> > > email-based attack vector that anti-virus providers [to the best of my 
> > > knowledge] are not currently addressing. 
> > >  Many thanks to Adobe for creating another issue for us to deal with, 
> > > and especially for not having the forethought to coordinate with anti-virus 
> > > vendors to prepare for assuredly future exploitation of the technology. 
> > > 
> > > -- 
> > > ME2
> > > 
> > > my home: <http://www.santeriasys.net/>
> > > my photos: < http://mespinola.blogspot.com/> 
> > > 
> > 
> > 
> > 
> > -- 
> > ME2
> > 
> > my home: < http://www.santeriasys.net/>
> > my photos: < http://mespinola.blogspot.com/> 
> > 
> 
> 
> 
> -- 
> ME2
> 
> my home: <http://www.santeriasys.net/>
> my photos: <http://mespinola.blogspot.com/> 
> 
> 


-- 
ME2 <http://www.santeriasys.net/>

photography: <http://mespinola.blogspot.com/>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20050427/176e3ec6/attachment.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ