New Method Could Hide Malware In PDFs, No Further Exploits Needed

Trailrunner7 writes "A security researcher has managed to create a proof-of-concept PDF file that executes an embedded executable without exploiting any other security vulnerabilities. The PDF hack, when combined with clever social engineering techniques, could potentially allow code execution attacks if a user simply opens a rigged PDF file. With Adobe Reader, the only thing preventing execution is a warning. Disabling JavaScript will not prevent this."

Re:PDF-XChange

[abigor]

Do you always refer to yourself with the royal "we"?

Windows only again?

[Anonymous Coward]

Poor Mac OS X and Linux users are left out again.

Re:Clever social engineering...

[T Murphy]

The guys at Adobe heard about oscilloscopes with hidden games on them, and Word's flight simulator, so they incorporated "features" so they could make an easter egg of their own. They never got around to that easter egg, so now lots of people are kindly lending them a hand at it.

Re:PDF-XChange

[idontgno]

I'm pretty sure a substantial minority of your eukaryotes actually prefer Adobe products.

The "we" you're using is just your corporeal ruling elite talking, Man! It's just another example of your neurons keepin' your connective cells and fat tissue down!

Hey Google, integrate this too!

[Graham J - XVI]

Chrome integration of one buggy plugin deserves another, right?

Re:PDF-XChange

[natehoy]

As Mark Twain once said, "Only kings, presidents, editors, and people with tapeworms have the right to use the editorial 'we.'"

Peter does not appear to be a king, is unlikely to be a president, and he's probably not an editor...

Re:PDF-XChange

[suomynonAyletamitlU]

To be fair, my fatty tissue is an ass, and my connective tissues jerk me around all the time.

Re:PDF-XChange

[treeves]

We recommend niclosamide or another anthelminthic for Pete.

Worst security flaw of the decade

[MobyDisk]

There is a command in the PDF language that says "execute the following command-line!" I thought having that ability in the scripting language was dumb. But it's actually available in the document description format? What possible purpose could that server? I don't want a message box added, or a security setting -- just remove that command entirely from the implementation!

How did this come about when they were designing the PDF format?
      "Let's make it support bold, italic, underline, and execute."
One of the above does not fit with the others.

Re:PDF-XChange

[PhxBlue]

In all fairness, it's hard sometimes to separate the tapeworms from the editors on Slashdot. But generally, the tapeworms have better grammar. :)

Re:Sad

[QRDeNameland]

...I was thinking PoC meant Piece of Crap which I thought was redundant when referring to a PDF.

In my experience, the proper industry acronym is BFPoC, for Big Fat Piece of Crap, a term allegedly coined by one Artemus Clyde Frog.

Re:Sad

[shutdown -p now]

This is one reason open-source is generally better: when an open-source project is done, the developers leave it that way (unless any bugs are found), and go find something else productive to work on.

One word: Emacs.