Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

PDF Exploits On the Rise

timothy posted more than 5 years ago | from the worse-than-a-bad-moon- dept.

Security 183

An anonymous reader writes "According to the TrustedSource Blog, malware authors increasingly target PDF files as an infection vector. Keep your browser plugins updated. From the article: 'The Portable Document Format (PDF) is one of the file formats of choice commonly used in today's enterprises, since it's widely deployed across different operating systems. But on a down-side this format has also known vulnerabilites which are exploited in the wild. Secure Computing's Anti-Malware Research Labs spotted a new and yet unknown exploit toolkit which exclusively targets Adobe's PDF format.'"

cancel ×

183 comments

Sorry! There are no comments related to the filter you selected.

Not to worry. (5, Insightful)

morgan_greywolf (835522) | more than 5 years ago | (#25119481)

I'm sure Secure Computing has a product for that. :-/

Re:Not to worry. (4, Insightful)

electrictroy (912290) | more than 5 years ago | (#25119527)

Don't set your browser to auto-load PDF files. (Or any other file for that matter.) Download it first; scan it; then open it externally.

Re:Not to worry. (5, Insightful)

Big Nothing (229456) | more than 5 years ago | (#25119623)

Or don't use Adobe Reader, instead use one of the many competent and more secure open alternatives.

Re:Not to worry. (-1, Flamebait)

Anonymous Coward | more than 5 years ago | (#25119663)

"Or don't use Adobe Reader, instead use one of the many competent and more secure open alternatives."

And missing features.

Re:Not to worry. (3, Insightful)

bugeaterr (836984) | more than 5 years ago | (#25120833)

And missing features.

Like script execution turned on by default.
Nothing could go wrong there.

Re:Not to worry. (2, Insightful)

lysergic.acid (845423) | more than 5 years ago | (#25121479)

oh, you mean the inability to start up in less than a minute? or the ability to act as a virus vector?

Re:Not to worry. (1)

Mateo_LeFou (859634) | more than 5 years ago | (#25119757)

I was wondering whether there was any hope of getting websites to start saying "requires a PDF reader" instead of "requires Adobe's PDF reader". The non-Adobe readers I've used have pretty much all rendered docs fine and twice as quickly to boot.

Re:Not to worry. (5, Insightful)

mpe (36238) | more than 5 years ago | (#25119831)

I was wondering whether there was any hope of getting websites to start saying "requires a PDF reader" instead of "requires Adobe's PDF reader".

This is only going to happen after this kind of thing is called an "Acrobat Reader exploit" rather than a "PDF exploit" though.

don't hold your breath (1)

inTheLoo (1255256) | more than 5 years ago | (#25121371)

I'm still waiting for the Wintel press to stop calling Windows viruses "computer viruses." This is FUD for Adobe and PDF which are both in M$'s crosshairs. Elimination of PDF will help decomoditize a uselful standard. Eliminating Adobe will move Adobe's profits to other companies.

Re:Not to worry. (0)

Anonymous Coward | more than 5 years ago | (#25119773)

care to list them? and the feature set of xpdf doesn't cut it.

Re:Not to worry. (4, Informative)

jonnythan (79727) | more than 5 years ago | (#25119925)

I've been using Foxit exclusively for some time now.

There's nothing about Adobe Reader that I miss. Foxit seems to handle everything I come across just fine. And it's way faster and never crashes. Adobe Reader seemed to crash on me all the time on multiple machines.

Re:Not to worry. (2, Informative)

c0p0n (770852) | more than 5 years ago | (#25121131)

Aye, Foxit is really quick and it's a very good viewer. Okular in KDE is also very good rendering files, although it does lack a few features.

Re:Not to worry. (1)

c0y (169660) | more than 5 years ago | (#25121525)

Not to mention that Foxit doesn't require downloading huge updates (requiring a reboot to install) every other week.

I actually had a new windows install at work yesterday and replaced Acrobat with Foxit. You even have to reboot to uninstall that crapware. WTH? It's not like it's loading a damn driver, is it?

I cursed Adobe the whole time the machine was rebooting. Fuck them. I will go to lengths to ensure I never spend a single dime on any product of theirs.

Re:Not to worry. (3, Informative)

larry bagina (561269) | more than 5 years ago | (#25120073)

I use Apple's Preview/display PDF. The only time I've needed to use Acrobat was for filling out IRS tax forms (Preview didn't save the data I entered).

Re:Not to worry. (2, Informative)

jofer (946112) | more than 5 years ago | (#25120537)

Kpdf/Okular is great if you're running KDE as your desktop. With kde4, I think okular will eventually be available for windows as well. (I'm not sure on that...) The main advantage is that it's very quick to load and tightly integrated with Kdesktop. If you don't use kde, it has fewer advantages over the others.

You can annotate and review pdfs in okular just like you do in acroread. It doesn't have editing capability, but neither do the free versions of almost anything else, to my knowledge. (PDFedit is an exception, but it's too clunky for day-to-day use as a reader.)

Re:Not to worry. (2, Informative)

spazdor (902907) | more than 5 years ago | (#25120881)

Evince works flawlessly for me.

Re:Not to worry. (0)

Anonymous Coward | more than 5 years ago | (#25121643)

"Or don't use Adobe Reader, instead use one of the many competent and more secure open alternatives."

Indeed. I personally use Evince (GNOME application) for viewing PDF files. Acrobat Reader is INSANELY resource-hungry and bloated package and using Evince makes you wonder how the heck is it even possible for a PDF reader to go that bad. Anyway, I doubt the alternative PDF readers suffer from the security issues present in Acrobat Reader. Most of them don't support scripts or such stuff. Not that I mind, I use PDF files for viewing-only and I think they should stay that way.
  -GayGirlie

Re:Not to worry. (1)

houghi (78078) | more than 5 years ago | (#25120503)

I do that even for htm, txt and css file types.

Seriously, technically you are right. However the danger is not for the people here on /. The danger is with the people who have no clue on how to do this. Could you explain my grand parrents who still have problems with handling a mouse on how to do that?

Can I give them your number so that each time they see something like this, they can call you on what to do. Because that will happen for many people.

Could you infect a jpg (0)

Anonymous Coward | more than 5 years ago | (#25119575)

with an .std format ?

Re:Could you infect a jpg (0)

Anonymous Coward | more than 5 years ago | (#25119857)

I knew I shouldn't have allowed my jpgs to mate freely with my binary files.

Re:Not to worry. (0)

Anonymous Coward | more than 5 years ago | (#25121429)

Ummm..wouldn't that be McAfee?

http://www.thetechherald.com/article.php/200839/2100/What-now-after-McAfee-snatches-Secure-Computing-for-465-million

From the TFA: "On Monday, McAfee announced its plan to buy Secure Computing for $465 million USD. The announcement marks the second-largest acquisition for McAfee and Secure Computing, and is just the latest in a string of purchases led by Dave DeWalt, McAfeeâ(TM)s CEO."

Good news cause PDF's should be shunned (0)

Anonymous Coward | more than 5 years ago | (#25119491)

It's an owned & bloated container / format. What is really needed is an open and efficent network print protocol.

Any suggestions?

Re:Good news cause PDF's should be shunned (5, Insightful)

martinw89 (1229324) | more than 5 years ago | (#25119691)

No, it's just that for some people PDFs are a hammer and every single printed word on the tubes is a nail.

I have had plenty of times where I was turning in papers electronically or needed to transfer documents between computers where PDF came in quite useful. When I'm turning in a paper electronically, I have no idea what version of Office the professor has. Nor do I even have Office. PDFs are very useful in this case.

Also, it may not be as bloated as you perceive. Acrobot reader is slow as hell. Evince and KPDF, both on Linux, are noticeably faster for me. There are alternatives for Windows as well that are better than the "official" reader.

Re:Good news cause PDF's should be shunned (5, Interesting)

querist (97166) | more than 5 years ago | (#25119823)

As a university professor, I actively encourage my students to use PDF files if possible. OS X and Linux come with PDF output, and I'm sure there's a way to do it in Windows without paying Adobe.

I also specifically PROHIBIT MS Office 2007/2008 .docx, .pptx, .xlsx, .xlwx, etc. formats. I'm not paying for an "upgrade" that completely changes the UI and introduces a new format without providing any real benefit to me.

Yes, I accept OpenOffice.org documents (as well as .dvi, .ps, and the formats from iWork)

Re:Good news cause PDF's should be shunned (1, Informative)

Anonymous Coward | more than 5 years ago | (#25119897)

There is a free .docx, .pptx,. xlsx, etc. format plug-in to do that.

Re:Good news cause PDF's should be shunned (2, Informative)

querist (97166) | more than 5 years ago | (#25120345)

I'll look into it, but the last time I tried the one for OS X it didn't work. It caused major problems with the formatting of the document, amongst other things. (And I have Office 2004 installed on my machine.)

Re:Good news cause PDF's should be shunned (1)

ais523 (1172701) | more than 5 years ago | (#25119933)

Probably OpenOffice is the easiest way to create PDFs on Windows, there's a save-as-PDF button on the toolbar.

Re:Good news cause PDF's should be shunned (3, Informative)

mishehu (712452) | more than 5 years ago | (#25120963)

Actually, that only works for documents that you can view/edit in Open Office. For general purpose use, you can always opt for PDFCreator [sourceforge.net] . We use it at our clients' offices, and have excellent results.

Re:Good news cause PDF's should be shunned (1)

RaceProUK (1137575) | more than 5 years ago | (#25121567)

Is that better than PrimoPDF? The latest version of PrimoPDF annoys the hell out of me sometimes.

Re:Good news cause PDF's should be shunned (2, Informative)

X0563511 (793323) | more than 5 years ago | (#25121739)

CutePDF. It shows as a printer. Print to it, and you get a file save dialog asking where to put the PDF.

As a bonus, it uses GPL Ghostscript as it's backend.

Re:Good news cause PDF's should be shunned (5, Informative)

Jason Levine (196982) | more than 5 years ago | (#25120071)

For Windows the best (and free/open source) tool I've found is PDFCreator [pdfforge.org] . It installs a "printer" on your computer that outputs to PDF. Using PDFCreator, you can make a PDF in any application that allows you to print. Using some of the "advanced" features (not really advanced, but slightly more complex than Print->PDF), you can even combine multiple print-outs from different applications into a single PDF.

Re:Good news cause PDF's should be shunned (1)

querist (97166) | more than 5 years ago | (#25120561)

I will make sure that I provide that information to my students. Thank you!

I would gladly accept Office 2007/2008 format documents if I could read them. The converter for OS X provided by Microsoft does not preserve the document formatting and it does not convert equations correctly. Since I teach graduate level computer science courses, both of those considerations are very important.

Fortunately, Office 2007 and 2008 both provide an easy to use "Save As" option that allows the students to save the document in an earlier format.

If Microsoft can make their converter work correctly, or I can obtain a copy of Office 2008 LEGALLY, then I will start to accept those formats as well.

Re:Good news cause PDF's should be shunned (1)

Goatie (728045) | more than 5 years ago | (#25120935)

"or I can obtain a copy of Office 2008 LEGALLY" Isn't it simply a case of buying a copy? Don't you get some discounts through your place of work? I know I can get my hands on it for £17 from my work. You should check if there's any schemes in place for you and your employer.

Re:Good news cause PDF's should be shunned (2, Funny)

Sax Maniac (88550) | more than 5 years ago | (#25121941)

MS has always offered free Office document viewers, since the early Jurassic. But, don't tell your students that. Get them used to PDFs while you have some authority!

CutePDF (0)

Anonymous Coward | more than 5 years ago | (#25121069)

Its freeware. Does same thing.

Re:Good news cause PDF's should be shunned (1)

jefu (53450) | more than 5 years ago | (#25120173)

I do the same - PDFs only - except that I don't accept open office files or any other binary format. I do accept TeX, HTML and Docbook though (not that any of these are popular among my students).

Re:Good news cause PDF's should be shunned (1)

houghi (78078) | more than 5 years ago | (#25120581)

HTML? Nice, I can make it with FrontPage [ducks]

Re:Good news cause PDF's should be shunned (-1, Flamebait)

RulerOf (975607) | more than 5 years ago | (#25120333)

I actively encourage my students to use PDF files if possible...

Turning in assignments as PDF's makes sense. Since you don't need to edit the file, just read it, that seems like a pretty good solution.

I also specifically PROHIBIT MS Office 2007/2008 .docx, .pptx, .xlsx, .xlwx, etc. formats. I'm not paying for an "upgrade"

Ohh, I get it! You're a Linux/OSX fanboy and purposefully want to make everyone else's work harder because you're an ignorant professor on his high horse, and fail so hard that you can't even download a compatibility pack. [microsoft.com]

Re:Good news cause PDF's should be shunned (0)

Anonymous Coward | more than 5 years ago | (#25120547)

Or, he's running Mac OSX, like he said, and so that compatibility pack doesn't work for him.

Re:Good news cause PDF's should be shunned (1)

RulerOf (975607) | more than 5 years ago | (#25121799)

Or one could read his post and discover that was never mentioned.

Re:Good news cause PDF's should be shunned (1)

Fujisawa Sensei (207127) | more than 5 years ago | (#25120583)

Learning to deal with twits dictating from their high horse is part of the real world... deal.

Re:Good news cause PDF's should be shunned (1)

RulerOf (975607) | more than 5 years ago | (#25121869)

Learning to deal with twits dictating from their high horse

I somehow expect more from one who claims to be a university professor.

Re:Good news cause PDF's should be shunned (1)

iainl (136759) | more than 5 years ago | (#25121963)

He's no fanboy - read the other responses on the thread [slashdot.org] . Just someone who has problems with the compatibility pack being not all it's cracked up to be.

Re:Good news cause PDF's should be shunned (0)

Anonymous Coward | more than 5 years ago | (#25120695)

As a university professor, I actively encourage my students to use PDF files if possible.

Your students hate you.

Re:Good news cause PDF's should be shunned (4, Informative)

JustinOpinion (1246824) | more than 5 years ago | (#25119957)

There are alternatives for Windows as well that are better than the "official" reader.

Specifically Sumatra PDF [kowalczyk.info] and Foxit Reader [foxitsoftware.com] are alternative PDF readers for Windows.

They are both orders-of-magnitude faster than Adobe Acrobat. Part of the reason for this speed boost is that they don't implement the hundreds of plug-ins that Acrobat supports. But frankly for >99% of the PDFs you encounter, those additional plug-ins are not required. (In the rare case where a PDF needs one of those features, I guess you can load up Acrobat.)

In addition to a speed advantage, using an alternate PDF reader is probably more secure. Both because it is less well-known (fewer exploits tailored to it), and because they don't implement those hundreds of plug-ins (some of which enable certain kinds of code execution).

Re:Good news cause PDF's should be shunned (1)

I cant believe its n (1103137) | more than 5 years ago | (#25120655)

Sumatra PDF looks really nice!

I just tried it out since I hate when Adobe PDF viewer says "would you like to update now or in a little while (your computer is ours anyway - hahaha). You will not even be given the option of 'not at all' - hahaha".

I know someone here is thinking "Well, yea! You gotta keep up with the patchin'". But Adobe would like to infect my machine with flash. I prefer my coffe black and my PDFs as non-executables.

Re:Good news cause PDF's should be shunned (1)

larry bagina (561269) | more than 5 years ago | (#25120109)

Two suggestions: postscript. DVI.

Re:Good news cause PDF's should be shunned (1)

DrSkwid (118965) | more than 5 years ago | (#25120965)

Postscript.

Or just plain text.

Postscript is a programming language though. It can infinite loop and read / write files.

Time for PDF Lite? (5, Interesting)

davidwr (791652) | more than 5 years ago | (#25119587)

Most PDF files have nothing more than text, vector graphics, and images in "read-only" formats. They don't have fill-in-the-blank fields or load-a-codec-and-play-a-video, or active content.

Web browsers need a "simple PDF" plugin that will activate on PDFs. If the "simple PDF" plugin loads a file with content it can't display, it will display what it can and give the user an opportunity to load the file in a full-fledged PDF plugin or external viewer.

Re:Time for PDF Lite? (0)

Anonymous Coward | more than 5 years ago | (#25119659)

But then it would load fast and not have all the EEE features that locks-in users into Adobe's PDF Reader.

/Sarcastic ADOBE PDF shill

Re:Time for PDF Lite? (1, Insightful)

Anonymous Coward | more than 5 years ago | (#25119769)

I second this idea. If the file format is so complex that it's vulnerable to this kind of attack, and the advice we get is "make sure your OS and browser are updated because the format can't be fixed reliably," then the format is too complicated for its own good. It's fallen victim to feature creep.

Re:Time for PDF Lite? (1)

nneonneo (911150) | more than 5 years ago | (#25120177)

Safari on Mac will, by default, load Preview unless Adobe Reader has decided to override it.

Preview is the Mac OS X general-purpose image/PDF viewer. It loads very quickly and displays PDFs using Apple's renderer (which also underlies a lot of their GUI -- a number of the UI elements are actually PDF files!).

On Linux, most browsers will use Xpdf or similar and are not hard to configure to use a different viewer.

It seems that the problem exists mainly on Windows, where the lack of well-known alternatives force the majority of users to use Adobe Reader.

Re:Time for PDF Lite? (1)

romanval (556418) | more than 5 years ago | (#25120339)

Mac Safari already does that.. when you don't have Acrobat Reader installed.
That's because of quartz library, which is Mac OS X's pdf based graphics rendering subsystem.
It's great because it'll show pdfs directly in Mail app as an inline attachment. (no need to open it!).

Offices are still stuck in the paper world (1)

Alwin Henseler (640539) | more than 5 years ago | (#25120649)

I'm no fan of the PDF format, but it has a place in this world because a) it serves a specific purpose, b) it works reasonably well for that purpose, and c) there isn't any popular format out there to take its place.

Compared with other popular formats, the defining feature of PDF is that it's designed to be turned into sheets of dead tree at some point. Separate pages, with fixed vertical and horizontal size. PDF is very useful for that purpose, but it's often used in places where it makes no sense.

I come accross PDF's mostly as technical documentation like datasheets (for electronic components). Mostly these are scanned pages (dead tree original), linked together as a single PDF file. I use those PDF's only for viewing on a computer, they don't ever make it back to paper. For this use, I would much rather have plain HTML, with illustrating pictures and so on packed in a single file. This would take much less space (text-based vs. scanned images), load up faster (browser!) and allow for easier navigation, searching, and editing. But you know what? Clicking on a .pdf is more convenient than unzipping a directory filled with with HTML, and opening an index file in there (for the user). And scanning 20 pages, linking them into a .pdf file is easier than doing a full conversion to text, and create decently formatted HTML (for the producer). Therefore PDF usually wins, even though there's more efficient ways to bring the info from A to B.

For above application, the reason for PDF's popularity stems from the form of the original (dead tree), and that users are expected to turn the documents back into that format. Why use online viewing all over your office, when you can *wastefully* turn things back into paper and drag around briefcases filled with the stuff?

From what I've seen, the average office still isn't used to going all electronic when it comes to documentation. When you follow a course, you don't get an USB stick stuffed with HTML to crawl through (or pointer to internal company webpage). You get a pile of A4 sheets.

For stuff that I create myself, I prefer HTML, or in general: the simplest format that will bring the info from A to B and is easy for online viewing. How you can turn it into A4 sheets is of secondary importance. But until a true '21st century' paperless office becomes the norm, PDF will have its place.

Or as teh hackers will call it (1)

eclectro (227083) | more than 5 years ago | (#25119611)

Portable Virus Format, PVF

YAY for JavaScript and Flash support in PDFs! (0)

Anonymous Coward | more than 5 years ago | (#25119615)

Functionality at any cost

Security article (1)

digitaldc (879047) | more than 5 years ago | (#25119617)

And don't forget to not only patch the latested operating system and browser vulnerabilities, but also keep an eye on third-party browser plugins like Adobe Reader, Flash Player and QuickTime.

Why do all these security articles end up basically saying the same thing?

Patch & update, rinse, repeat.

Everything else in these security/warning articles just show you what happens to the people who never patch anything and open anything & everything.

Re:Security article (2, Interesting)

liquidpele (663430) | more than 5 years ago | (#25119653)

Because that is the only option, and people need to hear it a lot or they forget and get owned.

Re:Security article (1, Insightful)

Anonymous Coward | more than 5 years ago | (#25119961)

Why do all these security articles end up basically saying the same thing?

You mean that none of those companies even consider thinking of giving the user a possibility to run their stuff in a (default) secure setting (not giving the reader/PDF permission to do anything else than display the content) ?

I personally had to remove, by hand, a number of accompanying DLLs to Acrobats PDF-reader from which I never seem to use their functionality (like web-buying thru a PDF) but get loaded every time (slowing it down).

Instead of them I really would like to be able to add information to the PDF (like my own remarks and bookmarks), even if it would be stored in an extra file (and not in the PDF itself).

PDF exploit? Or Adobe Reader exploit? (2, Insightful)

Anonymous Coward | more than 5 years ago | (#25119629)

What if you use a PDF reader that's not made by Adobe?

Re:PDF exploit? Or Adobe Reader exploit? (5, Funny)

eclectro (227083) | more than 5 years ago | (#25120025)

What if you use a PDF reader that's not made by Adobe?

You download the virus using flash.

I wonder why? (5, Insightful)

Nerdposeur (910128) | more than 5 years ago | (#25119675)

Hmmmm. Maybe this is because they've crammed all kinds of interactive content into a Portable Document Format?

I mean seriously. I thought the idea of PDFs was "this is as simple as a printed copy, and looks the same."

Re:I wonder why? (1)

Shados (741919) | more than 5 years ago | (#25119725)

Wouldn't that describe PostScript better? And even Microsoft's XPS! PDF was pretty much always doing too much IMO... but its what caught on, meh. The features it provides are very very useful. Just not so useful in non-trusted environments.

Re:I wonder why? (3, Informative)

Dr_Barnowl (709838) | more than 5 years ago | (#25121209)

Postscript can contain function calls and as such, is often marked as a potential scripting threat. Google, for example, refuses to send raw eps files as attachments.

A similar principle to Windows MetaFile, which is essentially a list of calls to the Windows graphics library ; several Windows exploits owe their birth to WMF calling unchecked functions in the graphics library.

Note that just because a file format doesn't contain function calls or scripting does not make it secure. A poor implementation of any file reader can be vulnerable to a well crafted file. But active content makes things much easier, because it's much harder to check for security.

PDF Excellent Target for Phishing (1)

hksdot (1128515) | more than 5 years ago | (#25119679)

It's always been the case that human (generally users rather than admins) are the weakest link in the security chain, and this trend only increases as technologies to thwart network and malware attacks become more sophisticated. In the wild, you increasingly see targeted phishing attacks against companies and government agencies.

Unencrypted e-mail only works to the extent that it does because humans can *usually* decide whether a received e-mail is legitimate based on the content. However, in organizations it is common to receive fairly generic e-mails that contain office documents, so if the sender looks right (and does not trigger any of the technological tripwires), an office worker is pretty likely to open a document attached to a generic e-mail -- or worse yet, one that has been tailor-made just for the recipient by attackers.

Of course there are many other mediums over which to transmit PDFs, the clients of which have been rife with bugs despite their ubiquity in the office, but e-mail for the time being is the main vector. This problem won't go away until we either have:

1. Suitable, ubiquitous, open-source software to open office documents with security as a main focus of the projects, AND/OR
2. Authenticated e-mail with secure PKI structures (glwt).

Sumatra PDF Reader (5, Informative)

Anonymous Coward | more than 5 years ago | (#25119731)

Use the Sumatra PDF Reader. It is a very lightweight reader. Since it doesn't have all the other useless bloat crap that Adobe's reader has, I'm sure it is a lot less vulnerable. It is also open source, so you don't have to rely on downloading an even more bloated version of Acrobat Reader to fix the exploits.

http://blog.kowalczyk.info/software/sumatrapdf/

I have this installed on all of the PCs here at the office. It has eliminated just about all of the issues i had with the adobe crapware.

Re:Sumatra PDF Reader (1, Informative)

Anonymous Coward | more than 5 years ago | (#25119965)

Also if you want to create pdf files without paying the adobe tax, check out CutePDF writer. It has to be one of the best free PDF creaters i've found for windows. I also have this on all of the office PCs.. http://www.cutepdf.com/ [cutepdf.com]

Postscript (1)

Rinisari (521266) | more than 5 years ago | (#25119737)

PDF is essentially a compressed, higher ability Postscript, right? Postscript is a language, and that therefore would be how malware writers exploit it--they exploit bugs in the readers, which are essentially compilers--to compromise a system.

Re:Postscript (5, Informative)

Angstroem (692547) | more than 5 years ago | (#25119947)

PDF is essentially a compressed, higher ability Postscript, right?

On the contrary, PDF is (originally) a subset of PS plus the ability to embed fonts into the document, apply some overall compression where sensible, and stitch everything together into one carrier.

And while it is true that the past knows about "PS bombs" which e.g. will render your printer useless cause its interpreter is stuck in a loop (after all, PS is a Turing-capable programming language opening all sorts of fun if your idea of fun are stack-oriented languages), the problem with current PDF exploits comes from the fact that this format gets increasingly overloaded.

I can see why one would love to see Javascript and embedding all kinds of multimedia stuff within PDF. Would bring PDF on par with Powerpoint with respect to animations etc. -- which wouldn't be the worst thing for me, cause I love doing slides with PDFtex and beamer, and Adobe of course would like to present their format as a vital alternative to those nasty office formats.

But it also adds complexity. Instead of a simple postscript renderer you end up with a gazillion of helper libraries, bringing in their very own bugs.

Re:Postscript (1)

tayhimself (791184) | more than 5 years ago | (#25121273)

Do you know if the bug is in Javascript portion of Acrobat Reader rather than the pdf portion.

You can turn of Javascript for Acrobat Reader so that could be a temporary fix (or permanent depending on security prefs).

Re:Postscript (1)

Flying Scotsman (1255778) | more than 5 years ago | (#25120033)

You're correct that PostScript is Turing-complete programming language, but PDF is not. PDF is more or less just a description of the graphics to draw. Here's a Wikipedia link [wikipedia.org] regarding the difference.

Re:Postscript (0)

Anonymous Coward | more than 5 years ago | (#25120117)

PDF isn't Postscript but Adobe did see fit to add javascript capabilities to their reader. I remember thinking to myself many years back (the days when fresh js exploits for IE6 were emerging on a daily basis), "this is gonna cause problems".

Re:Postscript (1)

romanval (556418) | more than 5 years ago | (#25120131)

Postscript is a Turing complete language, but it's output can only be a page buffer. Kind of hard to spread a virus that way.

PDF is a parametric page description format similar to (although nothing like) HTML... it's only Turing complete when it includes Javascript (although the percentage of pdfs created with embedded javascript are very small, certainly <1%)

If anything, this means Javascript should be a separate OS library that the user can configure separately (and use different interpreters/engines) since adobe just static-binds a 3rd party javascript interpreter into acrobat anyways.

New PDFs in my inbox... (3, Interesting)

Jonah Hex (651948) | more than 5 years ago | (#25119801)

Interestingly enough, I have gotten 3 PDFs in the past few days in my corporate email inviting me to various "seminars" on technology subjects. All were very well written and professional looking but for products I have never used and companies I had not heard of. They passed both my email server's scanning and the local virus scan on my company laptop, however since I have very rarely gotten PDFs in the past I am now very suspicious.

Jonah HEX

Re:New PDFs in my inbox... (4, Funny)

MyLongNickName (822545) | more than 5 years ago | (#25120015)

I have a link to a white paper on how to tell if a PDF is a security threat. I can share it if you like. PDF format of course.

Logical Step for Exploits (2, Insightful)

neonprimetime (528653) | more than 5 years ago | (#25119807)

Exploit the Windows operating system cause the majority of users have it. Exploit Internet Explorer because the majority of users have it. Exploit Office products because the majority of users have it. Exploit Adobe's PDF format because the majority of users have it.

There is now Mac OS, various Linux distros, etc. There is FireFox, Opera, Chrome, etc. There is Open Office, etc. Maybe Adobe needs some good competition in the eyes of the public?

I don't see any PDF files (0)

paniq (833972) | more than 5 years ago | (#25119901)

no, literally. The screenshot of this baby blue office-vista-style malware app has made me blind.

SCAM Research Labs? (3, Funny)

StarEmperor (209983) | more than 5 years ago | (#25119935)

Wait, we're supposed to trust the findings from SCAM Research Labs?

Personally, I'm waiting to get a job at Secure Computing's Over-The-Counter Hardware Research Lab.

Patch and Update (0)

Anonymous Coward | more than 5 years ago | (#25119951)

As much as "Patch and Update" is a mantra with many other pieces of software, Adobe Acrobat is the quintessential example of bloatware-gone-wild. I stick with Reader 4.0 simply because I can't stand the awful evolution of the software; for things that Reader 4.0 can't open, I use Ghostscript/GSView32. Would Reader 4.0, on account of its antiquity, still be vulnerable to these exploits? I'd really prefer to not have to have whatever current iteration of Acrobat that's out there on my machine.

Update (4, Interesting)

pzs (857406) | more than 5 years ago | (#25120091)

When I used to use Windows, I found Acrobat to be the most intrusive software ever because of its auto-update. Pretty much every time you try to open a document it's in your face demanding you allow it to update itself and then it often requests a reboot (a reboot? For a PDF viewer??)

This seemed to happen every other week, even if appeased it by letting it do its thing. I suspect this update would be one possible attack vector.

Yet another case in which a "fuck off" key would be a useful addition to the Windows keyboard.

non-FOSS feature proposal (3, Funny)

Dystopian Rebel (714995) | more than 5 years ago | (#25120671)

Yet another case in which a "fuck off" key would be a useful addition to the Windows keyboard.

Although I usually decry any MS Windows-only feature proposal for not supporting Linux, I feel it is appropriate in this case.

Re:non-FOSS feature proposal (1)

pzs (857406) | more than 5 years ago | (#25120925)

Other use cases where a "fuck off" key would be useful:

- You are trying to download a file: cancel/allow (defaults to allow)

- Millions of overlapping windows and popups (defaults to return to desktop)

- This application has shat itself. Would you like to file a bug report (that will probably crash as well.) (Defaults to "no thanks")

and of course the number 1 case:

- You seem to be trying to type a letter, would you like some help with that? (defaults to hunting down the clippy developer and stabbing them with a rusty spoon)

(apologies if my phrasing is wrong - I hardly use Windows these days)

Re:non-FOSS feature proposal (1)

The Cisco Kid (31490) | more than 5 years ago | (#25121383)

Since a keyboard is a piece of hardware, and 'Windows' is a piece of sh.. ahem.. software, I don't think there should be any relationship at all.

If Windows needs a 'fuck off' function, it would best be implemented in software. Of course the simplest way is just deleting it in its entirety, of course, and I'd rather not have remnants of it left in hardware.

If using Adobe's version, turn everything off (0)

Anonymous Coward | more than 5 years ago | (#25120163)

The Javascript stuff, the embedded media formats, all the other scripting nonsense, e-mail, the "phone-home-to-Adobe's-servers" auto-update junk, and other fluff that is irrelevant to presenting an ordinary document, and you end up with A) a faster and less bloated program, B) a less vulnerable program.

Alternatively, use a third-party PDF viewer and save yourself the grief of stripping that stuff out of Adobe's version, because Adobe doesn't make it easy to do without plenty of trial and error. For that matter, Adobe could get a clue and ship a "Lite" version themselves.

alternatives? (0)

Anonymous Coward | more than 5 years ago | (#25120243)

are xpdf, kpdf, etc safe (i.e this is just an implementation error in adobes product) or are any of these problems systematic of the format (e.g you need to let the file access font files to check if it has them, bad example but you get the idea)?

Overuse of PDF (3, Insightful)

owlnation (858981) | more than 5 years ago | (#25120341)

The biggest issue is overuse and inappropriate use of PDF.

The only reason to ever use PDF is if it is NECESSARY for your audience to print the document in question.

Way too often websites have PDFs that are the only alternative for information. If you want to look up a train time for example, once and once only, you almost always have to download a PDF -- why? Sure, give people the choice of doing that if they want to, but there's no reason to slow down the internet for one-off pieces of information.

With concerns about the environment (perceived real or theatrical, regardless), you'd think that firms would stop encouraging frivolous use of paper. With the extortionate cost of printer ink, you'd think that firms would also be cost-conscious.

Uploading a 2 or 3 page document to the web in a PDF format is a criminal waste of resources, it's also an irritation that I don't need. I do not (and will never) work in a corporation. I do not need Office or PDF format -- ever. It's slow, and it's crap to read online.

I can cheerfully live my entire life without it, and I sincerely wish retarded developers and content managers would stop forcing it on me.

Re:Overuse of PDF (3, Insightful)

Ardeaem (625311) | more than 5 years ago | (#25120627)

Often, the reason for this is that either 1) the document in question was first designed for a print medium, or 2) The material was dumped from some kind of database as PDF. Often to redesign the output to be a better in web format is nontrivial. Why should they waste so many workhours on such a thing? It would provide no benefit in terms of the information that is available. It would only keep you from being annoyed.

Given that many of the organizations doing this are government organizations, and they use tax dollars, do you want your tax dollars spent on just redesigning output to be appropriate for HTML? I'll just deal with the (small) annoyance, thanks.

Any format can be exploited. The (over)use of PDF is not the issue here.

Re:Overuse of PDF (1)

gtall (79522) | more than 5 years ago | (#25121359)

Bullshit. Ever write a mathematics paper? You won't be doing that anytime soon in html (or some variant) and you are just plain not in mathematics if you attempt it in Word. The only system is (La)TeX and it generally produces .pdfs.

Articles as Ads (1)

prgrmr (568806) | more than 5 years ago | (#25120613)

There should be a disclaimer on these sort of product-placement articles. Oh wait, there is, it was posted by timothy.

Firefox should come with a minimal PDF reader (2, Insightful)

Animats (122034) | more than 5 years ago | (#25120817)

Firefox should ship with some minimal PDF reader instead of Adobe's. There's an incredible amount of junk in Adobe's PDF reader, which adds both vulnerabilities and load time. Has anyone ever used the WebBuy feature of Adobe PDF Reader?

Re:Firefox should come with a minimal PDF reader (3, Informative)

tinkerton (199273) | more than 5 years ago | (#25120955)

Not disagreeing here but you might like to know there is a common habit of disabling the loading of all the plugins in adobe. I forget how it is best done, but a cheap trick is renaming the plugin directory.

Re:Firefox should come with a minimal PDF reader (2, Funny)

Minwee (522556) | more than 5 years ago | (#25121703)

C:\> del /f C:\Program Files\Adobe is probably the command you were thinking of.

If it wasn't then I heartily endorse it as an alternative.

Post accompanied by ad for Acrobat (0)

Anonymous Coward | more than 5 years ago | (#25120877)

Could this be a feature?

The format? (1)

The Cisco Kid (31490) | more than 5 years ago | (#25121315)

I suspect, that its not the PDF format itself that has 'vulnerabilities' but it is in fact a certain well-known software the *reads* PDF format. And possibly only when running on a certain well-known software platform that is itself not famous for its lack of vulnerabilities.

Of course, the vast majority of PHB's and Joe Sixpacks don't have the capacity or inclination to understand those distinctions, so TFA didn't bother to make it.

Infected PDF symptoms (3, Funny)

British (51765) | more than 5 years ago | (#25121319)

1. Has a tendency to make your browser freeze up
2. Tries to infect some sort of TSR in Windows called Acrord32
3. Will frequently pop up a "checking for updates" dialog
4. Makes the fastest of computers slow to a crawl.
5. a super-jumpy scrolling interface

No wait, those aren't malware symptoms, that's just in Adobe's product. Next week we will discuss the incredible annoyances of the "java runtime environment" daily annoyances & clog-ups in "Add/Remove Programs". Do ANY software vendors know how annoying their software can be at times? Even Apple is guilty of forcing add-on installs you have no choice to get out of.

Really easy to fix this one (1)

Sloppy (14984) | more than 5 years ago | (#25121395)

PDF displayers are a great example of the kind of application that should be trivially sandboxable. The process needs access to hardly anything; no network access needed, no filesystem access is even needed (just pipe the data in).

It should run as nobody.

The link is in pdf format... (1)

hesaigo999ca (786966) | more than 5 years ago | (#25121405)

Is the link in pdf format???

YUO fAIL IT (-1, Troll)

Anonymous Coward | more than 5 years ago | (#25121575)

and shouting that 1. Therefo8e there WORLD. GNNA MEMBERS

You F4il it? (-1, Flamebait)

Anonymous Coward | more than 5 years ago | (#25121705)

ENJOY THE LOUD your own beer

.txt file exploits on the rise (1)

David Gerard (12369) | more than 5 years ago | (#25122013)

This title begs for a notnews. I just can't think of any ideas for it. Although WordPad for Windows 7 is probably vulnerable.

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>