New Method Could Hide Malware In PDFs, No Further Exploits Needed 234
Trailrunner7 writes "A security researcher has managed to create a proof-of-concept PDF file that executes an embedded executable without exploiting any other security vulnerabilities. The PDF hack, when combined with clever social engineering techniques, could potentially allow code execution attacks if a user simply opens a rigged PDF file. With Adobe Reader, the only thing preventing execution is a warning. Disabling JavaScript will not prevent this."
Re:Sad (Score:5, Insightful)
But for once Adobe is actually more secure than the better alternative Foxit. Adobe PDF Reader at least warns and asks your permission to run the file, but Fox It does neither one but just happily runs it. That fact made me uninstall Foxit for now at least.
further proof D. Knuth was right (Score:5, Insightful)
Notice you never hear about exploits-of-the-week like this for LaTeX !
"This cannot be patched" (Score:5, Insightful)
"This cannot be patch because it isn't a vulnerability." Uhh yes it can, and sure it is. There are millions of bugs that were entirely by design and the designs adapted to eliminate them. I will grant that they might have to break the PDF spec' to fix it but frankly it is the right thing to do for everyone concerned.
Re:further proof D. Knuth was right (Score:5, Insightful)
I can't decide if you're trying to be ironic, but there are no 'vulnerabilities' in LaTeX because the ability to interact with files and run arbitrary programs are part of the language. The reason LaTeX isn't often exploited is that it is very rare to run LaTeX programs from untrusted sources; you distribute the output from the program, not the program itself.
On a slightly different topic, is there a competition going on in Adobe to see if the Flash or Acrobat teams can collect the most security advisories?
Re:Sad (Score:4, Insightful)
Of course, the average user is known to thoroughly read the warnings and definitely will not click "OK, just get this thing out of my face" within half a second after the dialog box has finished rendering.
Re:"This cannot be patched" (Score:3, Insightful)
Exactly. To execute code, at some point, the reader is branching into data created or loaded by the pdf. When is that ever a good idea? If it's part of the PDF spec then it's a pretty good part to break compatibility with.
Re:Clever social engineering... (Score:3, Insightful)
If you design a sharp blade into an out-of-the-way spot of a hammer, don't be upset if you get cut while driving nails.
Not every tool is proper for every job. Using PDF as a general-purpose computing language is either mistaken or willfully stupid.
PDF is a document format. It's an output format. It's not a form-entry language. It's not the web. It's not an operating system. It sure as hell shouldn't be able to trigger any open-ended OS action. Its vocabulary of actions and action subjects should be limited...to just PDFs. Interpreted entirely internally.
Any use case that involves running external programs from within the PDF interpreter is a broken use case, caused by misapplying a tool for a purpose it's not properly intended for.
Re:Seriously, just uninstall Reader already. (Score:2, Insightful)
Yeah, because Google doesn't have enough of your info already.
Re:Sad (Score:1, Insightful)
dunno how it holds up as far as security but for basic pdf needs sumatra > foxit imo.. http://blog.kowalczyk.info/software/sumatrapdf/index.html
Re:Seriously, just uninstall Reader already. (Score:2, Insightful)
With the google doc extension, don't you need to be online? Also, that's assuming you don't mind google caching on the pdf you're opening, right?
Re:"This cannot be patched" (Score:3, Insightful)
One man's feature is another man's defect.
In the case of security "features", one man's feature is EVERYONE's defect.
Re:Clever social engineering... (Score:5, Insightful)
You've never dealt with a marketing department, clearly.
"Hey, you know what would be cool? What if PDF documents could also play videos?"
"Um.. well, it's technically possible but I don't think that-"
"Great! WE MUST HAVE THIS FEATURE! NOW! DROP EVERYTHING AND GET TO IT!"
Re:Sad (Score:0, Insightful)
Re:further proof D. Knuth was right (Score:2, Insightful)
Why don't you compile the following document with "tex --shell-escape" as root
\write18{rm -fR /}
In other news... (Score:2, Insightful)
Only a warning? (Score:4, Insightful)
With Adobe Reader, the only thing preventing execution is a warning.
The only thing preventing your browser from executing a binary executable is a warning.
Re:Sad (Score:3, Insightful)
PDF is (or was) a good format and standard; it lets you define documents so that they look the same on any platform, and can be printed on any printer and look identical.
The only problem with it is that it was perfected for this purpose long ago, so Adobe kept adding more and more crap to it.
This is one reason open-source is generally better: when an open-source project is done, the developers leave it that way (unless any bugs are found), and go find something else productive to work on. They don't try to keep justifying their existence by adding more and more bloat to something, to try to make it useful for tasks that other tools are better for. TeX is a good example of this.
Re:Sad (Score:2, Insightful)
Foxit is just as bloated as Adobe. Use Sumatra. [kowalczyk.info]