MobileRead Forums - View Single Post - [GUI Plugin] DjVuMaker

RogueScholar · 04-14-2024, 10:39 PM

Coming from a background in I.T. and within that some infosec, let me see if I can expand on the nature of this alert so that readers can make a more informed decision about whether it's worth avoiding the application over.

The threat signature detected identifies the security concern as the presence of a code snippet with a known vulnerability. Based on its origin on SourceForge, this is likely a byproduct from bundling of a piece of software known as the "Naver Toolbar" with the underlying WinDjView installer. Naver is a legitimate South Korean software company that's best known currently for their web browser, Whale, not some hacker group. The concern is not so much its presence at all in the installer package (SF only bundles fairly garden-variety adware from what I have seen, though I have no first-hand experience with this exact "flavor" or its removal process) but more precisely the version of it that's present. Versions prior to v4.0.30.323, which was released sometime in 2021, contained vulnerable code that allowed remote code execution which was confirmed to have been removed/replaced in the version mentioned above.

While the vulnerability is not insignificant, allowing an attacker to launch another script or program on your computer without your knowledge, the attack surface for it is pretty small in scope. To take advantage of this vulnerability, an attacker needs you to download an update.xml file (or visit a web page which loads such a file) with certain malformed characters in the contents of its name field, which crash the toolbar in such a way that the program will then respond to remote instructions. While that would indeed be nigh-calamitous, I would tend to believe that this would only be a major concern for people who are prone to visiting malicious websites in the first place, as few people I know will voluntarily download a file named update.xml absent a good reason from a trusted source.

Another valuable clue to evaluating this is the presence of "PUA" in the threat signature shown: PUA:Win32/Vigua.A. PUA is an acronym for "Potentially Unwanted Application" and is not considered a standalone virus, malware, or other type of threat, only that it matches a heuristic that is designed to detect that an application does unwanted behavior, which 90% of the time is displaying ads somewhere so someone else can make a dime. If it follows the same pattern as other SourceForge downloads I've handled, it was possible to deselect a checkbox in the installation wizard to decline the installation of the bundled software (Naver Toolbar, in this case) which behaved honestly and resulted in only the original package being added to the system with none of the bundle. Following the same process during the installation of WinDjView should likewise leave no cause for concern.

Naver has had more than their share of reported vulnerabilities, but they do report them publicly and patch them quickly once reported or discovered. You can see their page on this one here. My gut tells me this is just a company trying to carve out a niche in a tough market segment and through some combination of understaffing, low pay or just unrealistic expectations, often succumbs to release sloppy code. If I had a spare Windows instance to test the installer on I gladly would, but I've been a Linux user on all my personal computers for many years.

I hope people don't avoid the DjVu file format altogether based solely on this. I've always thought it was a nifty file format with a unique set of advantages that languished unnecessarily only because Adobe had a lot more money at the time of its introduction and used it to ensure that their PDF standard remained dominant. If such a thing as a free marketplace was able to exist, and had back then, it wouldn't surprise me if we all had a few .djvu files kicking around on our hard drives amongst the PDFs, along with some ubiquitous reader software installed to open them. I always have the DjVuLibre suite and DjView4 viewer installed on my computers and can attest to their trustworthiness, though not how well their Windows versions function.

This concludes tonight's InfoSec Evening Report, and we return you now to your regularly scheduled reading.

04-14-2024, 10:39 PM	#21
RogueScholar Junior Member Posts: 2 Karma: 10 Join Date: Sep 2023 Location: Northern California, USA Device: Barnes & Noble Nook HD+	Coming from a background in I.T. and within that some infosec, let me see if I can expand on the nature of this alert so that readers can make a more informed decision about whether it's worth avoiding the application over. The threat signature detected identifies the security concern as the presence of a code snippet with a known vulnerability. Based on its origin on SourceForge, this is likely a byproduct from bundling of a piece of software known as the "Naver Toolbar" with the underlying WinDjView installer. Naver is a legitimate South Korean software company that's best known currently for their web browser, Whale, not some hacker group. The concern is not so much its presence at all in the installer package (SF only bundles fairly garden-variety adware from what I have seen, though I have no first-hand experience with this exact "flavor" or its removal process) but more precisely the version of it that's present. Versions prior to v4.0.30.323, which was released sometime in 2021, contained vulnerable code that allowed remote code execution which was confirmed to have been removed/replaced in the version mentioned above. While the vulnerability is not insignificant, allowing an attacker to launch another script or program on your computer without your knowledge, the attack surface for it is pretty small in scope. To take advantage of this vulnerability, an attacker needs you to download an update.xml file (or visit a web page which loads such a file) with certain malformed characters in the contents of its name field, which crash the toolbar in such a way that the program will then respond to remote instructions. While that would indeed be nigh-calamitous, I would tend to believe that this would only be a major concern for people who are prone to visiting malicious websites in the first place, as few people I know will voluntarily download a file named update.xml absent a good reason from a trusted source. Another valuable clue to evaluating this is the presence of "PUA" in the threat signature shown: PUA:Win32/Vigua.A. PUA is an acronym for "Potentially Unwanted Application" and is not considered a standalone virus, malware, or other type of threat, only that it matches a heuristic that is designed to detect that an application does unwanted behavior, which 90% of the time is displaying ads somewhere so someone else can make a dime. If it follows the same pattern as other SourceForge downloads I've handled, it was possible to deselect a checkbox in the installation wizard to decline the installation of the bundled software (Naver Toolbar, in this case) which behaved honestly and resulted in only the original package being added to the system with none of the bundle. Following the same process during the installation of WinDjView should likewise leave no cause for concern. Naver has had more than their share of reported vulnerabilities, but they do report them publicly and patch them quickly once reported or discovered. You can see their page on this one here. My gut tells me this is just a company trying to carve out a niche in a tough market segment and through some combination of understaffing, low pay or just unrealistic expectations, often succumbs to release sloppy code. If I had a spare Windows instance to test the installer on I gladly would, but I've been a Linux user on all my personal computers for many years. I hope people don't avoid the DjVu file format altogether based solely on this. I've always thought it was a nifty file format with a unique set of advantages that languished unnecessarily only because Adobe had a lot more money at the time of its introduction and used it to ensure that their PDF standard remained dominant. If such a thing as a free marketplace was able to exist, and had back then, it wouldn't surprise me if we all had a few .djvu files kicking around on our hard drives amongst the PDFs, along with some ubiquitous reader software installed to open them. I always have the DjVuLibre suite and DjView4 viewer installed on my computers and can attest to their trustworthiness, though not how well their Windows versions function. This concludes tonight's InfoSec Evening Report, and we return you now to your regularly scheduled reading. Last edited by RogueScholar; 04-14-2024 at 10:41 PM. Reason: Fix wink emoji at conclusion of post