×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

New Method Could Hide Malware In PDFs, No Further Exploits Needed

timothy posted about 4 years ago | from the deploy-linux-countermeasures dept.

Security 234

Trailrunner7 writes "A security researcher has managed to create a proof-of-concept PDF file that executes an embedded executable without exploiting any other security vulnerabilities. The PDF hack, when combined with clever social engineering techniques, could potentially allow code execution attacks if a user simply opens a rigged PDF file. With Adobe Reader, the only thing preventing execution is a warning. Disabling JavaScript will not prevent this."

cancel ×
This is a preview of your comment

No Comment Title Entered

Anonymous Coward 1 minute ago

No Comment Entered

234 comments

Sad (1, Troll)

2.7182 (819680) | about 4 years ago | (#31691246)

If only some great pdf/security teacher would take these poor code monkeys who have no future and teach them how to fix this.

Re:Sad (5, Insightful)

sopssa (1498795) | about 4 years ago | (#31691352)

But for once Adobe is actually more secure than the better alternative Foxit. Adobe PDF Reader at least warns and asks your permission to run the file, but Fox It does neither one but just happily runs it. That fact made me uninstall Foxit for now at least.

Re:Sad (3, Insightful)

c-reus (852386) | about 4 years ago | (#31691758)

Of course, the average user is known to thoroughly read the warnings and definitely will not click "OK, just get this thing out of my face" within half a second after the dialog box has finished rendering.

Re:Sad (4, Informative)

Romancer (19668) | about 4 years ago | (#31691826)

From the author:

" My PoC PDF requires some changes for Foxit Reader, because ultimately, the executable doesn't run. But that's probably due to some variation in the PDF language supported by Foxit Reader."

Not really a proof of concept since the proof doesn't actually run the code currently. Not that it couldn't but there's no proof that Foxit is less secure since it doesn't actually run the code.

Re:Sad (3, Informative)

Spad (470073) | about 4 years ago | (#31692000)

http://blog.didierstevens.com/2010/03/31/escape-from-foxit-reader/ [didierstevens.com]

He got it working in Foxit pretty quickly after the first post about the PoC.

Re:Sad (5, Informative)

Pentium100 (1240090) | about 4 years ago | (#31692366)

Also the first comment there says how you can hex edit the .exe to disable this "feature".

If you can live without the /Launch functionality (I can!), edit the executable:

- search for “^@Launch^@” (^@ == null byte, file offset 7040965 in 3.13.1030) in Foxit Reader.exe,

- change it to e.g. “L!unch” (no quotes),

- save AS BINARY,

done.

Comment by Thomas — Wednesday 31 March 2010 @ 12:20

Re:Sad (1)

bynary (827120) | about 4 years ago | (#31692292)

...I was thinking PoC meant Piece of Crap which I thought was redundant when referring to a PDF.

Re:Sad (1, Insightful)

Anonymous Coward | about 4 years ago | (#31691892)

dunno how it holds up as far as security but for basic pdf needs sumatra > foxit imo.. http://blog.kowalczyk.info/software/sumatrapdf/index.html

PDF-XChange (1)

Peter Simpson (112887) | about 4 years ago | (#31691262)

We don't use the bloated Adobe viewer any more. There are several alternatives; we like this one.

Re:PDF-XChange (1, Informative)

Anonymous Coward | about 4 years ago | (#31691290)

*reads the article* It sounds like it'll run automatically with no warning in Foxit.

So. Not sure if the alternatives even stop this since it's not an exploit in the pdf reader but an exploit in the PDF file type or something. He gets it to run code somehow anyway.

Re:PDF-XChange (3, Funny)

abigor (540274) | about 4 years ago | (#31691306)

Do you always refer to yourself with the royal "we"?

Re:PDF-XChange (2, Interesting)

the_humeister (922869) | about 4 years ago | (#31691564)

Each of us is composed of trillions of eukaryotic cells and even more bacterial cells. Thus, we think it appropriate to use "we" when speaking for us.

Re:PDF-XChange (3, Funny)

idontgno (624372) | about 4 years ago | (#31691720)

I'm pretty sure a substantial minority of your eukaryotes actually prefer Adobe products.

The "we" you're using is just your corporeal ruling elite talking, Man! It's just another example of your neurons keepin' your connective cells and fat tissue down!

Re:PDF-XChange (3, Funny)

natehoy (1608657) | about 4 years ago | (#31691852)

As Mark Twain once said, "Only kings, presidents, editors, and people with tapeworms have the right to use the editorial 'we.'"

Peter does not appear to be a king, is unlikely to be a president, and he's probably not an editor...

Re:PDF-XChange (1)

Jorl17 (1716772) | about 4 years ago | (#31692118)

The royal weee? Last time I heard that it was when the Queen decided to pee. That was a royal wee.
;)

Re:PDF-XChange (2, Interesting)

Monkeedude1212 (1560403) | about 4 years ago | (#31691314)

He says that it works in other PDF Readers (well he mentioned one, Foxit) - because he's not exploiting a vulnerability in any of the applications, but the PDF Language itself.

So, chances are, you are just as vulnerable. He also said he reported it to Adobe, without releasing his proof of concept to the public - so we'll see what comes out of it.

It might just end up that Adobe products become more secure for reading PDFs than the others, and Adobe then has an upper hand.

[tinfoil speculation]
And if thats the case, why would they inform other PDF Readers. And unless the proof of concept is made public, how do we know there is actually a vulnerability besides the word of this hacker and Adobe?
[/tinfoil speculation]

Re:PDF-XChange (0)

K. S. Kyosuke (729550) | about 4 years ago | (#31691406)

He says that it works in other PDF Readers (well he mentioned one, Foxit) - because he's not exploiting a vulnerability in any of the applications, but the PDF Language itself.

But what vulnerability can be in a data format? Especially if I open it with a viewer that knows no stinkin' JavaScript etc.? GhostView and Xpdf simply say that the file is broken and display what they can.

Re:PDF-XChange (1)

sopssa (1498795) | about 4 years ago | (#31691464)

He says that it works in other PDF Readers (well he mentioned one, Foxit) - because he's not exploiting a vulnerability in any of the applications, but the PDF Language itself.

But what vulnerability can be in a data format? Especially if I open it with a viewer that knows no stinkin' JavaScript etc.? GhostView and Xpdf simply say that the file is broken and display what they can.

In this case it's not even vulnerability, it's just interesting way to use the PDF specs to get that result. However as for your question, vulnerabilities aren't in the data formats itself, but in the programs that read them (buffer overflow etc)

Re:PDF-XChange (0)

Anonymous Coward | about 4 years ago | (#31691668)

this means that P D F is a wrong term, it should be called Adobe ActiveX format!

it should be Portable Dodument and Code Format

Assumption: this is not a grand April Fools' joke.

Re:PDF-XChange (0)

Anonymous Coward | about 4 years ago | (#31691472)

RTFA - no JavaScript required, only adherence to the PDF Spec.

No kidding, the Windows payload didn't work on your Linux apps?

Re:PDF-XChange (0)

Anonymous Coward | about 4 years ago | (#31691474)

But what vulnerability can be in a data format?...

Clearly you are not familiar with PDF.

Re:PDF-XChange (1)

Lunix Nutcase (1092239) | about 4 years ago | (#31691516)

Especially if I open it with a viewer that knows no stinkin' JavaScript etc.?

Did you even bother to read the summary?

Disabling JavaScript will not prevent this.

To quote further from the actual article:

With Adobe Reader, the only thing preventing execution is a warning. Disabling JavaScript will not prevent this (I don’t use JavaScript in my PoC PDF), and patching Adobe Reader isn’t possible (I’m not exploiting a vulnerability, just being creative with the PDF language specs).

This has nothing to do with JavaScript or anything else. It has to do with the actual PDF language spec itself. Amazing how you got modded interesting by not even understanding what the issue is.

Re:PDF-XChange (1)

betterunixthanunix (980855) | about 4 years ago | (#31691734)

PDF is not a simple data format; it contains a weird programming language for rendering documents. This hacker is using that language to execute malicious code, which theoretically works in any PDF reader.

Re:PDF-XChange (1, Interesting)

Anonymous Coward | about 4 years ago | (#31691452)

If you read the comments under the original author post (linked from the article), people are reporting PDF X-Change as ignoring that part of the language spec and not executing the payload.

I haven't tested if that's true.

Re:PDF-XChange (1)

99BottlesOfBeerInMyF (813746) | about 4 years ago | (#31691696)

He says that it works in other PDF Readers (well he mentioned one, Foxit) - because he's not exploiting a vulnerability in any of the applications, but the PDF Language itself.

Technically, I think he's exploiting a common way the spec is implemented. the "/launch" command is supposed to be to a PDF file or be handled as a URI action.

He implements a file including:

/Type /Action /S /Launch /Win /F (cmd.exe)

By my reading of the spec (which is admittedly not expert) the way things are being handled by the PDF reader are questionable and by the OS is stupid.

In my mind this is simply one more argument for default ACLs and sandboxing for all applications as an integral part of OS design..

Re:PDF-XChange (1)

SanityInAnarchy (655584) | about 4 years ago | (#31691812)

Are you sure that's how he does it? He apparently has a better proof-of-concept that he hasn't posted, only sent to Adobe.

Re:PDF-XChange (1)

99BottlesOfBeerInMyF (813746) | about 4 years ago | (#31691986)

Are you sure that's how he does it? He apparently has a better proof-of-concept that he hasn't posted, only sent to Adobe.

That certainly seems to be the basis for his attack based upon the data and samples he's presented. It's not the first time this particular part of the spec has been a security problem either.

Re:PDF-XChange (1)

MagicM (85041) | about 4 years ago | (#31692342)

the "/launch" command is supposed to be to a PDF file or be handled as a URI action

The PDF spec I'm reading in Table 8.48 (Action types) says:

Action Type: Launch
Description: Launch an application, usually to open a file.

And there are other instances where it clearly states that "A launch action launches an application or opens or prints a document."

No vulnurebility? (0)

Anonymous Coward | about 4 years ago | (#31691344)

That's a big red vulnerability named PDF.

With Foxit Reader (5, Interesting)

wiredog (43288) | about 4 years ago | (#31691346)

There's no warning at all. It just runs. [zdnet.com]

Evince is OK! (0)

Anonymous Coward | about 4 years ago | (#31691780)

I had it with PDF exploits a few weeks back, so decided to try evince.

Current version 2.28.0 on vista (yes i know) and doesn't seem vulnerable to the file on the linked site.

Someone else please confirm.

Oh and its free.

Re:Evince is OK! (1)

Rich0 (548339) | about 4 years ago | (#31692304)

Tried to switch to evince on Windows machines. However, the most recent version doesn't let you print files. That obviously is a problem.

Maybe sometime in the next year or two the developers will post a fix. The last time I looked a few months ago there wasn't a fix, and it looked like the problem had been around for a while. Note to FOSS devs - "fixed in CVS" isn't a fix if there isn't a simple to use free build platform on the target OS.

Re:Evince is OK! (1)

Gaygirlie (1657131) | about 4 years ago | (#31692476)

Have you tried SumatraPDF? I use it for reading PDF files and while it is somewhat ugly it's atleast fast and updated regularly. I cannot say whether it is affected by this bug/feature or not, though, haven't checked yet.

http://blog.kowalczyk.info/software/sumatrapdf/index.html [kowalczyk.info]

Re:Evince is OK! (0)

Anonymous Coward | about 4 years ago | (#31692590)

Thanks to you both, didnt notice that print issue :-) and you are correct.
Will give sumatra a shot, also as I got the idea of using vince from Ubuntu in a virtual box - I may pluck up the courage to rebuild and ditch MS.

Thanks /.

Re:With Foxit Reader (0, Informative)

Anonymous Coward | about 4 years ago | (#31692024)

From TFA:

"In this case, Foxit Reader is probably worse than Adobe Reader, because no warning gets displayed to prevent the launch action. My PoC PDF requires some changes for Foxit Reader, because ultimately, the executable doesn’t run. But that’s probably due to some variation in the PDF language supported by Foxit Reader."

So apparently it *DOESN'T* "just run". Yet, at least.

further proof D. Knuth was right (5, Insightful)

Anonymous Coward | about 4 years ago | (#31691450)

Who the hell thought it was a good idea to have dynamic content in a document description language?

Notice you never hear about exploits-of-the-week like this for LaTeX !

Re:further proof D. Knuth was right (1)

Lunix Nutcase (1092239) | about 4 years ago | (#31691544)

What dynamic content? This has nothing to do with JavaScript.

With Adobe Reader, the only thing preventing execution is a warning. Disabling JavaScript will not prevent this ( I don’t use JavaScript in my PoC PDF ), and patching Adobe Reader isn’t possible (I’m not exploiting a vulnerability, just being creative with the PDF language specs).

Re:further proof D. Knuth was right (1)

plover (150551) | about 4 years ago | (#31692280)

What dynamic content? This has nothing to do with JavaScript.

Dynamic content != JavaScript.

Dynamic content is a generic name for all manner of executable things, including not only PDFs and JavaScript, but also LaTeX, ActiveX, VBScript, etc. JavaScript is simply one of many different implementations of dynamic content.

In this case it's a "/Launch" command in the PDF syntax that's being exploited.

Re:further proof D. Knuth was right (5, Insightful)

TheRaven64 (641858) | about 4 years ago | (#31691562)

I can't decide if you're trying to be ironic, but there are no 'vulnerabilities' in LaTeX because the ability to interact with files and run arbitrary programs are part of the language. The reason LaTeX isn't often exploited is that it is very rare to run LaTeX programs from untrusted sources; you distribute the output from the program, not the program itself.

On a slightly different topic, is there a competition going on in Adobe to see if the Flash or Acrobat teams can collect the most security advisories?

Re:further proof D. Knuth was right (2, Informative)

Chyeld (713439) | about 4 years ago | (#31692170)

PDF is the evolved form of PostScript - http://en.wikipedia.org/wiki/PostScript [wikipedia.org] and at the time PS came out, it wasn't that bad of an idea, especially since it enabled us to actually print IMAGES.

Unfortunately, feature creep set in and instead of creating a language actually meant for publishing and sharing documents, Adobe just reimplemented PS in PDF and glossed over the fact that they were using an elephant gun to shoot mosquito. This is coming back around to bite them in their butt. But the actual origins of the language weren't as boneheaded as you make them out to be.

"This cannot be patched" (4, Insightful)

Manip (656104) | about 4 years ago | (#31691514)

"This cannot be patch because it isn't a vulnerability." Uhh yes it can, and sure it is. There are millions of bugs that were entirely by design and the designs adapted to eliminate them. I will grant that they might have to break the PDF spec' to fix it but frankly it is the right thing to do for everyone concerned.

Re:"This cannot be patched" (0)

Anonymous Coward | about 4 years ago | (#31691774)

One man's feature is another man's defect.

Re:"This cannot be patched" (2, Insightful)

plover (150551) | about 4 years ago | (#31692296)

One man's feature is another man's defect.

In the case of security "features", one man's feature is EVERYONE's defect.

Re:"This cannot be patched" (2, Insightful)

Applekid (993327) | about 4 years ago | (#31691820)

Exactly. To execute code, at some point, the reader is branching into data created or loaded by the pdf. When is that ever a good idea? If it's part of the PDF spec then it's a pretty good part to break compatibility with.

Clever social engineering... (2, Interesting)

Chris Burke (6130) | about 4 years ago | (#31691528)

You open the .pdf. On page 1 you see: "Hey you! Close this file, rename it to end with '.exe', and then double click it! There's, uh, boobs! Yeah lots of boobies."

Okay so that's not entirely accurate, and at least one .pdf reader requires no social engineering at all other than getting them to open the pdf itself. Why would you make it so that you can't (normally) embed executables in the .pdf, but then allow .pdfs to launch arbitrary commands?

Re:Clever social engineering... (1)

TheRaven64 (641858) | about 4 years ago | (#31691682)

Being able to run external programs does make sense for some use-cases of PDFs. For example, a PDF form might contain some JavaScript logic for validating a form and then an action to submit it via some custom mechanism. You probably wouldn't distribute PDFs like this in the wild, but you might use them inside a company. A time sheet might be an example of this - you'd fill in the data in Adobe Reader and then submit it into the corporate accounts system. It's a bit of a stretch, but this feature was probably added back when the web was a lot less common.

Re:Clever social engineering... (2, Insightful)

idontgno (624372) | about 4 years ago | (#31691828)

If you design a sharp blade into an out-of-the-way spot of a hammer, don't be upset if you get cut while driving nails.

Not every tool is proper for every job. Using PDF as a general-purpose computing language is either mistaken or willfully stupid.

PDF is a document format. It's an output format. It's not a form-entry language. It's not the web. It's not an operating system. It sure as hell shouldn't be able to trigger any open-ended OS action. Its vocabulary of actions and action subjects should be limited...to just PDFs. Interpreted entirely internally.

Any use case that involves running external programs from within the PDF interpreter is a broken use case, caused by misapplying a tool for a purpose it's not properly intended for.

It's not a form-entry language... (1)

Jeffrey_Walsh VA (1335967) | about 4 years ago | (#31692202)

But it is a likely choice for those who have the pdf creation software, are familiar with using it, and want the flexibility of a single form that can be: printed blank and filled out on paper; filled out on screen then printed; or filled out and submitted online.

Re:Clever social engineering... (4, Insightful)

StoatBringer (552938) | about 4 years ago | (#31692300)

PDF is a document format. It's an output format. It's not a form-entry language. It's not the web. It's not an operating system. It sure as hell shouldn't be able to trigger any open-ended OS action.

You've never dealt with a marketing department, clearly.

"Hey, you know what would be cool? What if PDF documents could also play videos?"
"Um.. well, it's technically possible but I don't think that-"
"Great! WE MUST HAVE THIS FEATURE! NOW! DROP EVERYTHING AND GET TO IT!"

Re:Clever social engineering... (1)

Dishevel (1105119) | about 4 years ago | (#31692336)

But it IS all of those things. Maybe it should not be.

It surely should not be.

But it is. Since that is what it is then maybe we should just not be using it at all. If the only thing your company can send me is a fucking PDF then you can print it and mail it to me.

Re:Clever social engineering... (5, Funny)

T Murphy (1054674) | about 4 years ago | (#31691706)

The guys at Adobe heard about oscilloscopes with hidden games on them, and Word's flight simulator, so they incorporated "features" so they could make an easter egg of their own. They never got around to that easter egg, so now lots of people are kindly lending them a hand at it.

Testing done in Windows only... (0)

Anonymous Coward | about 4 years ago | (#31691540)

I'm willing to bet this concern isn't a Linux and/or BSD problem.

Windows only again? (1, Funny)

Anonymous Coward | about 4 years ago | (#31691548)

Poor Mac OS X and Linux users are left out again.

*nix vulnerable too? (3, Interesting)

cpuh0g (839926) | about 4 years ago | (#31691586)

What happens on *nix versions of Adobe Reader - OS/X, Solaris, Linux, etc?

Re:*nix vulnerable too? (1)

Jorl17 (1716772) | about 4 years ago | (#31692220)

I'm not sure, but I'd say it works pretty much the same way, it just runs the code (with or without a confirmation dialog). Like any other exploit/unwanted-feature, the pseudo-hacker must know what he/she is targeting.

No executable required? (0, Offtopic)

keytoe (91531) | about 4 years ago | (#31691588)

I don't understand how someone can say that it doesn't exploit a reader to operate. That implies that opening the file in, say, a text editor will somehow trigger the exploit. I find that claim highly dubious. What about a hex editor? Running 'cat'?

At some point, in order for the exploit to trigger, some executable must operate on the data enclosed in the file. It is therefore an exploit in an executable, and thus it is important to know which executables are vulnerable. Saying anything else is disingenuous and nothing but rampant fear mongering.

Re:No executable required? (1)

Graham J - XVI (1076671) | about 4 years ago | (#31691728)

It's not an exploit if it's using an intentional feature. TFA clearly mentions Adobe Reader as the software used, obviously opening it in something else will not have the same effect.

Re:No *buggy* executable required? (2, Informative)

Chris Burke (6130) | about 4 years ago | (#31691850)

It means "exploit" a reader as in "take advantage of a bug in", not "make use of in any way". In other words, a perfectly coded pdf reader with zero bugs whatsoever would still be vulnerable. So the answer to which executables is "All of them" At least if they're implemented correctly, which is a very different circumstance than usual and worth making note of.

By your usage of exploit, then they'd have to say this: "This method exploits a PDF reader, a computer operating system, a computer, the electrical grid, the planet earth and its star, Sol, and the laws of physics."

Oh but it does make some difference which reader you are using. Some throw up a warning dialogue (whose content can apparently be controlled to an extent) and at least one doesn't. Foxit is apparently a reader you should avoid.

Re:No executable required? (1)

SanityInAnarchy (655584) | about 4 years ago | (#31691954)

At some point, in order for the exploit to trigger, some executable must operate on the data enclosed in the file. It is therefore an exploit in an executable, and thus it is important to know which executables are vulnerable.

All which correctly implement the PDF spec. Posting before reading the summary is also disingenuous.

Adobe misfeature (2, Informative)

Animats (122034) | about 4 years ago | (#31691740)

Explaination [didierstevens.com]

Video [didierstevens.com]

Demo PDF file (as .zip) [didierstevens.com]

PDF apparently has (stupidly) a capability to launch an executable program which is run when the PDF file is opened. There's a warning message. All the exploit does is put in some text like "To view the encrypted message in this PDF document, select "Do not show this message again" and click the Open button." into the warning dialog box.

Incidentally, SumatraPDF doesn't do this, but that seems to be a bug; the test file produces "Synchronization file cannot be opened".

Re:Adobe misfeature (1)

qoncept (599709) | about 4 years ago | (#31691870)

My biggest problem with Reader has been that it's a horribly slow piece of garbage with 3rd party alternatives that work great. I'd call this "strike 2" but it's already way beyond "out."

Adobe Crumbles (1)

Zorlon (181163) | about 4 years ago | (#31691766)

I find Adobe proprietary apps like pdf viewer and flash to be very annoying. I would love a nice rain to wash that mud away.

Seriously, just uninstall Reader already. (2, Informative)

DrEldarion (114072) | about 4 years ago | (#31691786)

For 98% of people, Reader is unnecessary and just opens up a ton of security holes.

Easy replacement:
1) Install Google Chrome [google.com]
2) Install this extension [google.com] which opens up all PDFs in Google Docs.
3) Enjoy your new, safe browsing and PDF-viewing environment.

Re:Seriously, just uninstall Reader already. (2, Insightful)

Anonymous Coward | about 4 years ago | (#31691872)

Yeah, because Google doesn't have enough of your info already.

Re:Seriously, just uninstall Reader already. (1)

SOdhner (1619761) | about 4 years ago | (#31692264)

No, it's that Google already has SO MUCH of my info that I just don't care anymore. Trying to keep any of my information from Google at this point is like closing the barn doors after the cows are out.

Re:Seriously, just uninstall Reader already. (2, Insightful)

misterooga (1172837) | about 4 years ago | (#31692040)

With the google doc extension, don't you need to be online? Also, that's assuming you don't mind google caching on the pdf you're opening, right?

Re:Seriously, just uninstall Reader already. (1)

Jorl17 (1716772) | about 4 years ago | (#31692198)

Or, for once, learn how to open documents sent from SECURE SOURCES. What's all the fuzz with idiot people reading documents sent by evil-idiots? Just teach people about distinguishing between good and bad "software", as it is possible to teach them to distinguish between 'good' and 'bad' words. Sure secure apps matter, but security mustn't be taken for granted and, thus, we should be educated about it.
Ditto.

Re:Seriously, just uninstall Reader already. (1)

DrEldarion (114072) | about 4 years ago | (#31692244)

The problem with unsecure PDFs is that they're vulnerable to drive-by attacks. If your browser has a security flaw, that can be used to open an infected PDF. A rogue website can redirect to an infected PDF and most browsers are set to auto-open them.

I'd wager that most people infected by PDFs never downloaded anything manually.

Re:Seriously, just uninstall Reader already. (1)

_bug_ (112702) | about 4 years ago | (#31692232)

This is a very bad idea.

If you're opening your PDFs with Google Docs then you're uploading your PDF to Google Docs first. Perhaps for some kind of unimportant document such as a manual or spec sheet this might not seem like a big deal. But if you're trying to open, say, last year's tax returns that you've saved in PDF, well now your tax return information is "in the cloud". Or maybe you're filling out a form from by your health care provider concerning some sort of particularly embarrassing medical issue. Do you really want that information "in the cloud"?

You may try to argue that Google Docs is safe and secure. I bet yesterday Adobe would have said Acrobat Reader was safe and secure too.

Re:Seriously, just uninstall Reader already. (0)

Anonymous Coward | about 4 years ago | (#31692402)

You forgot step 4. Have Google examine your pdf and save for later.

Re:Seriously, just uninstall Reader already. (2, Informative)

evilviper (135110) | about 4 years ago | (#31692432)

For 98% of people, Reader is unnecessary and just opens up a ton of security holes.

While I still highly recommend any of the alternatives, I've seen several cases where websites are checking for that specific plug-in, and will not make any attempt to display the PDF, or offer any alternative links to the document, if Reader is not detected. Of course if more people dropped Adobe's crap, this would cease to be an acceptable way to display PDFs, but it should at least be noted that you might find just a few dark corners where the alternatives won't work for you.

And let me take a moment to rant on about what a dog Acrobat Reader is. I've seen innumerable systems that had plenty of free memory, UNTIL Reader started up, and grabbed a fricking half GB, and caused serious system swapping. Replacing Reader with XPDF always brings the very same system from dog slow, to lightning fast...

Re:Seriously, just uninstall Reader already. (0)

Anonymous Coward | about 4 years ago | (#31692468)

that just moves the vulnerability onto Google though, doesn't it, since they will still have to run the PDF to get its output. Is getting Google.com infected really worth it?

/s

Yup, part of the PDF spec (2, Interesting)

MagicM (85041) | about 4 years ago | (#31692004)

If you're really a nerd, you'll want to scroll through the PDF Reference [adobe.com] section 8.5 ("Actions"). Be careful though, as it may hurt a little.

Instead of simply jumping to a destination in the document, an annotation or outline item can specify an action (PDF 1.1) for the viewer application to perform, such as launching an application, playing a sound, or changing an annotation's appearance state. [...] In addition, the optional OpenAction entry in a document's catalog (Section 3.6.1, "Document Catalog") may specify an action to be performed when the document is opened.

It's actually very well-defined, and creating a document that implements this part of the specification should be trivial.

Old news. I got hacked 4 weeks ago by one of these (4, Informative)

St.Creed (853824) | about 4 years ago | (#31692010)

I was reading a technical forum (used by a few dozen people, I'm in a niche market) with Chrome, when a PDF popped up containing nonsense text.

Ofcourse I wasn't happy about it, so I contacted the owner of the site and scanned my laptop with McAfee's antivirus. Didn't find anything, but 2 weeks later I received a mail that my passwords had been reset for my own website because of suspicious activity. As it turned out, someone had installed a virus similar to the one that got me, on my contact page. Great.

This is with a laptop running Chrome, Windows Vista with UAC enabled, McAfee security suite. I didn't even get a warning.

I used Malwarebytes' Anti-malware to find and remove the stuff that got installed. At least, I'm hoping it got removed - but nothing is certain :P The strange thing is now, that when i need to access a fishy site I use Internet Explorer because it caught the drive-by download the next time I visited. Sort of a complete reversal of policy for me.

Anonymous Coward (0)

Anonymous Coward | about 4 years ago | (#31692054)

Does anyone know if Sumatra PDF is vulnerable?

Re:Anonymous Coward (0)

Anonymous Coward | about 4 years ago | (#31692320)

I'm sure someone knows.

This isn't news.. (0)

Anonymous Coward | about 4 years ago | (#31692312)

This isn't new, hiding viruses in .pdf files have been going on for years, maybe even a full decade. I remember doing this with Subseven a long time ago. Nothing new.

So Sandboxie for my Web Browser and pdf files? (0)

Anonymous Coward | about 4 years ago | (#31692348)

So Sandboxie for my Web Browser and pdf files?

!Exploit (1)

MikaelC (584630) | about 4 years ago | (#31692460)

Okay. So the PDF standard has the potential for launching external (or even embedded) files. In Adobe Reader this will create a warning dialog with the following text: "The file and its viewer application are set to be launched by this PDF file. The file may contain programs, macros, or viruses that could potentially harm your computer. Only open the file if you are sure it is safe. If this file was placed by a trusted person or program, you can click Open to view the file." That seems perfectly clear to me. There is really no reason to change this behavior. This is not an exploit.

Sumatra? (1)

mordejai (702496) | about 4 years ago | (#31692540)

Does anyone know if Sumatra PDF [kowalczyk.info] is vulnerable?

I stopped using Foxit because of its frequent crashes and annoying updater, and I only use Acrobat for printing.

Worst security flaw of the decade (2, Funny)

MobyDisk (75490) | about 4 years ago | (#31692570)

There is a command in the PDF language that says "execute the following command-line!" I thought having that ability in the scripting language was dumb. But it's actually available in the document description format? What possible purpose could that server? I don't want a message box added, or a security setting -- just remove that command entirely from the implementation!

How did this come about when they were designing the PDF format?
      "Let's make it support bold, italic, underline, and execute."
One of the above does not fit with the others.

How is this new?? (1)

Stan92057 (737634) | about 4 years ago | (#31692616)

How is this new?? Since he couldn't find a vulnerability he just uses an old one and uses social engineering as the final key in,wow,just wow.
Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Sign up for Slashdot Newsletters
Create a Slashdot Account

Loading...