Forgot your password?
typodupeerror
Security IT

PDF Exploits On the Rise 183

Posted by timothy
from the worse-than-a-bad-moon- dept.
An anonymous reader writes "According to the TrustedSource Blog, malware authors increasingly target PDF files as an infection vector. Keep your browser plugins updated. From the article: 'The Portable Document Format (PDF) is one of the file formats of choice commonly used in today's enterprises, since it's widely deployed across different operating systems. But on a down-side this format has also known vulnerabilites which are exploited in the wild. Secure Computing's Anti-Malware Research Labs spotted a new and yet unknown exploit toolkit which exclusively targets Adobe's PDF format.'"
This discussion has been archived. No new comments can be posted.

PDF Exploits On the Rise

Comments Filter:
  • Not to worry. (Score:5, Insightful)

    by morgan_greywolf (835522) on Tuesday September 23, 2008 @09:47AM (#25119481) Homepage Journal

    I'm sure Secure Computing has a product for that. :-/

    • Re:Not to worry. (Score:5, Insightful)

      by electrictroy (912290) on Tuesday September 23, 2008 @09:49AM (#25119527)

      Don't set your browser to auto-load PDF files. (Or any other file for that matter.) Download it first; scan it; then open it externally.

      • Re:Not to worry. (Score:5, Insightful)

        by Big Nothing (229456) <big.nothing@bigger.com> on Tuesday September 23, 2008 @09:56AM (#25119623)

        Or don't use Adobe Reader, instead use one of the many competent and more secure open alternatives.

        • I was wondering whether there was any hope of getting websites to start saying "requires a PDF reader" instead of "requires Adobe's PDF reader". The non-Adobe readers I've used have pretty much all rendered docs fine and twice as quickly to boot.

          • Re:Not to worry. (Score:5, Insightful)

            by mpe (36238) on Tuesday September 23, 2008 @10:09AM (#25119831)
            I was wondering whether there was any hope of getting websites to start saying "requires a PDF reader" instead of "requires Adobe's PDF reader".

            This is only going to happen after this kind of thing is called an "Acrobat Reader exploit" rather than a "PDF exploit" though.
            • by netringer (319831)

              I was wondering whether there was any hope of getting websites to start saying "requires a PDF reader" instead of "requires Adobe's PDF reader".

              This is only going to happen after this kind of thing is called an "Acrobat Reader exploit" rather than a "PDF exploit" though.

              Yeah sure. You expect to hear that things are called a "Windows exploit" rather than "Web exploit," too?

        • Since Adobe Reader has such a bad rep, can anyone recommend a good free alternative for my windows box at work?

          • "Since Adobe Reader has such a bad rep, can anyone recommend a good free alternative for my windows box at work?"

            Yes. Ubuntu Linux is a great alternative to Windows.

            Oh, you meant an alternative to Adobe Reader?

            My personal favorite is pdf995, but it's not open and might be too much for you (if you just want to VIEW pdfs). If you want a JUST VIEWER (or if openness is important to you) you should probably go with xpdf. It's simple and fast although not the flashiest piece of software out there.

        • Or never ever use PDF since they are bloated pieces of shit. I have no idea why this fileformat is still clinging to life. They could easily all be replaced by png files or rft the only differences would be the files would be smaller load in 1/10 the time and you wouldnt need another useless bloated product to load them.

      • by houghi (78078)

        I do that even for htm, txt and css file types.

        Seriously, technically you are right. However the danger is not for the people here on /. The danger is with the people who have no clue on how to do this. Could you explain my grand parrents who still have problems with handling a mouse on how to do that?

        Can I give them your number so that each time they see something like this, they can call you on what to do. Because that will happen for many people.

      • I learned that the hard way. Computer was infected with that annoying Windows 2008 Antivirus with a PDF launching in a browser.

    • by db32 (862117)
      To be fair my experience with Secure Computing has been great. I haven't dealt with a lot of their stuff, but the Sidewinder Firewall is an incredible firewall.
  • Time for PDF Lite? (Score:5, Interesting)

    by davidwr (791652) on Tuesday September 23, 2008 @09:54AM (#25119587) Homepage Journal

    Most PDF files have nothing more than text, vector graphics, and images in "read-only" formats. They don't have fill-in-the-blank fields or load-a-codec-and-play-a-video, or active content.

    Web browsers need a "simple PDF" plugin that will activate on PDFs. If the "simple PDF" plugin loads a file with content it can't display, it will display what it can and give the user an opportunity to load the file in a full-fledged PDF plugin or external viewer.

    • by romanval (556418)
      Mac Safari already does that.. when you don't have Acrobat Reader installed.
      That's because of quartz library, which is Mac OS X's pdf based graphics rendering subsystem.
      It's great because it'll show pdfs directly in Mail app as an inline attachment. (no need to open it!).
  • Portable Virus Format, PVF

  • And don't forget to not only patch the latested operating system and browser vulnerabilities, but also keep an eye on third-party browser plugins like Adobe Reader, Flash Player and QuickTime.

    Why do all these security articles end up basically saying the same thing?

    Patch & update, rinse, repeat.

    Everything else in these security/warning articles just show you what happens to the people who never patch anything and open anything & everything.
    • Re: (Score:3, Interesting)

      by liquidpele (663430)
      Because that is the only option, and people need to hear it a lot or they forget and get owned.
  • by Anonymous Coward

    What if you use a PDF reader that's not made by Adobe?

  • I wonder why? (Score:5, Insightful)

    by Nerdposeur (910128) on Tuesday September 23, 2008 @09:59AM (#25119675) Journal

    Hmmmm. Maybe this is because they've crammed all kinds of interactive content into a Portable Document Format?

    I mean seriously. I thought the idea of PDFs was "this is as simple as a printed copy, and looks the same."

    • by Shados (741919)

      Wouldn't that describe PostScript better? And even Microsoft's XPS! PDF was pretty much always doing too much IMO... but its what caught on, meh. The features it provides are very very useful. Just not so useful in non-trusted environments.

      • Re:I wonder why? (Score:4, Informative)

        by Dr_Barnowl (709838) on Tuesday September 23, 2008 @11:30AM (#25121209)

        Postscript can contain function calls and as such, is often marked as a potential scripting threat. Google, for example, refuses to send raw eps files as attachments.

        A similar principle to Windows MetaFile, which is essentially a list of calls to the Windows graphics library ; several Windows exploits owe their birth to WMF calling unchecked functions in the graphics library.

        Note that just because a file format doesn't contain function calls or scripting does not make it secure. A poor implementation of any file reader can be vulnerable to a well crafted file. But active content makes things much easier, because it's much harder to check for security.

  • Sumatra PDF Reader (Score:5, Informative)

    by Anonymous Coward on Tuesday September 23, 2008 @10:03AM (#25119731)

    Use the Sumatra PDF Reader. It is a very lightweight reader. Since it doesn't have all the other useless bloat crap that Adobe's reader has, I'm sure it is a lot less vulnerable. It is also open source, so you don't have to rely on downloading an even more bloated version of Acrobat Reader to fix the exploits.

    http://blog.kowalczyk.info/software/sumatrapdf/

    I have this installed on all of the PCs here at the office. It has eliminated just about all of the issues i had with the adobe crapware.

  • PDF is essentially a compressed, higher ability Postscript, right? Postscript is a language, and that therefore would be how malware writers exploit it--they exploit bugs in the readers, which are essentially compilers--to compromise a system.

    • Re:Postscript (Score:5, Informative)

      by Angstroem (692547) on Tuesday September 23, 2008 @10:17AM (#25119947)

      PDF is essentially a compressed, higher ability Postscript, right?

      On the contrary, PDF is (originally) a subset of PS plus the ability to embed fonts into the document, apply some overall compression where sensible, and stitch everything together into one carrier.

      And while it is true that the past knows about "PS bombs" which e.g. will render your printer useless cause its interpreter is stuck in a loop (after all, PS is a Turing-capable programming language opening all sorts of fun if your idea of fun are stack-oriented languages), the problem with current PDF exploits comes from the fact that this format gets increasingly overloaded.

      I can see why one would love to see Javascript and embedding all kinds of multimedia stuff within PDF. Would bring PDF on par with Powerpoint with respect to animations etc. -- which wouldn't be the worst thing for me, cause I love doing slides with PDFtex and beamer, and Adobe of course would like to present their format as a vital alternative to those nasty office formats.

      But it also adds complexity. Instead of a simple postscript renderer you end up with a gazillion of helper libraries, bringing in their very own bugs.

      • Do you know if the bug is in Javascript portion of Acrobat Reader rather than the pdf portion.

        You can turn of Javascript for Acrobat Reader so that could be a temporary fix (or permanent depending on security prefs).

    • by romanval (556418)
      Postscript is a Turing complete language, but it's output can only be a page buffer. Kind of hard to spread a virus that way.

      PDF is a parametric page description format similar to (although nothing like) HTML... it's only Turing complete when it includes Javascript (although the percentage of pdfs created with embedded javascript are very small, certainly <1%)

      If anything, this means Javascript should be a separate OS library that the user can configure separately (and use different interpreters/en
  • by Jonah Hex (651948) <.moc.liamg. .ta. .smtodxeh.> on Tuesday September 23, 2008 @10:08AM (#25119801) Homepage Journal

    Interestingly enough, I have gotten 3 PDFs in the past few days in my corporate email inviting me to various "seminars" on technology subjects. All were very well written and professional looking but for products I have never used and companies I had not heard of. They passed both my email server's scanning and the local virus scan on my company laptop, however since I have very rarely gotten PDFs in the past I am now very suspicious.

    Jonah HEX

  • by neonprimetime (528653) on Tuesday September 23, 2008 @10:08AM (#25119807)
    Exploit the Windows operating system cause the majority of users have it. Exploit Internet Explorer because the majority of users have it. Exploit Office products because the majority of users have it. Exploit Adobe's PDF format because the majority of users have it.

    There is now Mac OS, various Linux distros, etc. There is FireFox, Opera, Chrome, etc. There is Open Office, etc. Maybe Adobe needs some good competition in the eyes of the public?
    • > Exploit the Windows operating system cause the majority of users have it.
      > Exploit Internet Explorer because the majority of users have it.
      > Exploit Office products because the majority of users have it.
      > Exploit Adobe's PDF format because the majority of users have it.

      Fortunately, you seem to be right. Remember back around 1998, when ActiveState Perl installed itself as a CLIENT-SIDE BROWSER SCRIPTING LANGUAGE for Internet Explorer, sitting alongside VBscript and JScript... but no real limits

      • by isorox (205688)

        just about anything you COULD do with Perl, which was "basically everything"

        $#/%% ^!&**//!\\|!($$

        There, just wiped your harddrive

  • by StarEmperor (209983) on Tuesday September 23, 2008 @10:16AM (#25119935) Homepage

    Wait, we're supposed to trust the findings from SCAM Research Labs?

    Personally, I'm waiting to get a job at Secure Computing's Over-The-Counter Hardware Research Lab.

  • Update (Score:5, Interesting)

    by pzs (857406) on Tuesday September 23, 2008 @10:25AM (#25120091)

    When I used to use Windows, I found Acrobat to be the most intrusive software ever because of its auto-update. Pretty much every time you try to open a document it's in your face demanding you allow it to update itself and then it often requests a reboot (a reboot? For a PDF viewer??)

    This seemed to happen every other week, even if appeased it by letting it do its thing. I suspect this update would be one possible attack vector.

    Yet another case in which a "fuck off" key would be a useful addition to the Windows keyboard.

    • by Dystopian Rebel (714995) * on Tuesday September 23, 2008 @11:01AM (#25120671) Journal

      Yet another case in which a "fuck off" key would be a useful addition to the Windows keyboard.

      Although I usually decry any MS Windows-only feature proposal for not supporting Linux, I feel it is appropriate in this case.

      • by pzs (857406)

        Other use cases where a "fuck off" key would be useful:

        - You are trying to download a file: cancel/allow (defaults to allow)

        - Millions of overlapping windows and popups (defaults to return to desktop)

        - This application has shat itself. Would you like to file a bug report (that will probably crash as well.) (Defaults to "no thanks")

        and of course the number 1 case:

        - You seem to be trying to type a letter, would you like some help with that? (defaults to hunting down the clippy developer and stabbing them with

      • Since a keyboard is a piece of hardware, and 'Windows' is a piece of sh.. ahem.. software, I don't think there should be any relationship at all.

        If Windows needs a 'fuck off' function, it would best be implemented in software. Of course the simplest way is just deleting it in its entirety, of course, and I'd rather not have remnants of it left in hardware.

    • by mako1138 (837520)

      If you don't run as Administrator, none of that stuff shows up.

  • Overuse of PDF (Score:4, Insightful)

    by owlnation (858981) on Tuesday September 23, 2008 @10:40AM (#25120341)
    The biggest issue is overuse and inappropriate use of PDF.

    The only reason to ever use PDF is if it is NECESSARY for your audience to print the document in question.

    Way too often websites have PDFs that are the only alternative for information. If you want to look up a train time for example, once and once only, you almost always have to download a PDF -- why? Sure, give people the choice of doing that if they want to, but there's no reason to slow down the internet for one-off pieces of information.

    With concerns about the environment (perceived real or theatrical, regardless), you'd think that firms would stop encouraging frivolous use of paper. With the extortionate cost of printer ink, you'd think that firms would also be cost-conscious.

    Uploading a 2 or 3 page document to the web in a PDF format is a criminal waste of resources, it's also an irritation that I don't need. I do not (and will never) work in a corporation. I do not need Office or PDF format -- ever. It's slow, and it's crap to read online.

    I can cheerfully live my entire life without it, and I sincerely wish retarded developers and content managers would stop forcing it on me.
    • Re:Overuse of PDF (Score:4, Insightful)

      by Ardeaem (625311) on Tuesday September 23, 2008 @10:57AM (#25120627)
      Often, the reason for this is that either 1) the document in question was first designed for a print medium, or 2) The material was dumped from some kind of database as PDF. Often to redesign the output to be a better in web format is nontrivial. Why should they waste so many workhours on such a thing? It would provide no benefit in terms of the information that is available. It would only keep you from being annoyed.

      Given that many of the organizations doing this are government organizations, and they use tax dollars, do you want your tax dollars spent on just redesigning output to be appropriate for HTML? I'll just deal with the (small) annoyance, thanks.

      Any format can be exploited. The (over)use of PDF is not the issue here.
      • Re: (Score:3, Insightful)

        by Locklin (1074657)

        Additionally, plenty of academic papers, presentations, and posters are written with LaTeX. I would rather see people posting such material to the web (in PDF), rather than the alternative of not posting it, or spending time fighting to convert things to HTML and having it look awkward.

    • by gtall (79522)

      Bullshit. Ever write a mathematics paper? You won't be doing that anytime soon in html (or some variant) and you are just plain not in mathematics if you attempt it in Word. The only system is (La)TeX and it generally produces .pdfs.

  • There should be a disclaimer on these sort of product-placement articles. Oh wait, there is, it was posted by timothy.
  • by Animats (122034) on Tuesday September 23, 2008 @11:10AM (#25120817) Homepage

    Firefox should ship with some minimal PDF reader instead of Adobe's. There's an incredible amount of junk in Adobe's PDF reader, which adds both vulnerabilities and load time. Has anyone ever used the WebBuy feature of Adobe PDF Reader?

  • I suspect, that its not the PDF format itself that has 'vulnerabilities' but it is in fact a certain well-known software the *reads* PDF format. And possibly only when running on a certain well-known software platform that is itself not famous for its lack of vulnerabilities.

    Of course, the vast majority of PHB's and Joe Sixpacks don't have the capacity or inclination to understand those distinctions, so TFA didn't bother to make it.

  • by British (51765) <british1500@gmail.com> on Tuesday September 23, 2008 @11:36AM (#25121319) Homepage Journal

    1. Has a tendency to make your browser freeze up
    2. Tries to infect some sort of TSR in Windows called Acrord32
    3. Will frequently pop up a "checking for updates" dialog
    4. Makes the fastest of computers slow to a crawl.
    5. a super-jumpy scrolling interface

    No wait, those aren't malware symptoms, that's just in Adobe's product. Next week we will discuss the incredible annoyances of the "java runtime environment" daily annoyances & clog-ups in "Add/Remove Programs". Do ANY software vendors know how annoying their software can be at times? Even Apple is guilty of forcing add-on installs you have no choice to get out of.

  • PDF displayers are a great example of the kind of application that should be trivially sandboxable. The process needs access to hardly anything; no network access needed, no filesystem access is even needed (just pipe the data in).

    It should run as nobody.

    • You've never had to (legitimately) get into an verified PDF, I presume. ProtectedPDF is a company which make a living on keeping honest users from accessing their content. Luckly, once you've activated, there are ways to convert the data to a more useful format.

  • This title begs for a notnews. I just can't think of any ideas for it. Although WordPad for Windows 7 is probably vulnerable.

    • by Shados (741919)

      Meh, im sure a text file in Unicode or another more archaic encoding could screw up Internet Explorer or some word processor or another. I mean, databases have had encoding based attacks for SQL strings (not the same as SQL injection attacks), so why not text processors =P Especially if that have some inner scripting support. That would be amusing. Fear the txt of doom!

  • by Alexander (8916) on Tuesday September 23, 2008 @01:49PM (#25123939) Homepage

    I'm sorry, but in that very brief article linked, I saw absolutely ZERO analysis concerning frequency.

    YAY! There's an exploit and toolkit. The existence of which is, in some sense, a useful piece of prior information for establishing the probability that there MIGHT BE an increase in frequency in the future - but it's quite a leap to have a freakin' /. link to a corporate article that uses hyperbole in claiming that there is some State of Nature or State of Knowledge that points to .pdf attacks being "On the rise".

  • PDF Files? Are the editors of this webroom a bunch of kiddy fiddlers [youtube.com]?

On the Internet, nobody knows you're a dog. -- Cartoon caption

Working...