Slashdot Mirror
PDF Virus Spotted
Jethro73 writes: "Adobe's popular PDF file format [...] has generally been considered immune to viruses. But a new virus carried by programs embedded in PDF files raises concerns that the format itself could become susceptible. Read about it here and at coderz.net."
Well, the Code Red exploit was once a proof of concept. I still have the original post from the NTBugtraq list outlining the vulnerability...
.swf, .psd, and the complex audio formats coming out. Play a Music Stream from Real and get a virus!
I think we're going to come to the point where *any* embeddable-type document is going to be prone to infestation. We're almost there. We just need to add
The next Slashdot story will be ready soon, but subscribers can beat the rush and slashdot the links early!
If that is the case, then practically any program that can embedd other files is suddenly going to be flagged as having a virus, when in reality, its just the same old software (VB and VBS) causing the same old problems (reading outlook email addresses and so forth) ...
Or am I missing something?
Avantslash - View Slashdot cleanly on your mobile phone.
They're gonna yell out "You see what happens when people reverse-engineer our software ?".
Quite the opposite. When writing a PDF virus you're not reverse engineering or circunventing anything. However, if there's a virus in an e-book, you can't study it because then you'd be violating the DMCA and the virus writer can sue you and have you put in jail. Cool isn't it?
Opus: the Swiss army knife of audio codec
Postscript is a complete language, the only reason it doesn't make a good viral platform is that the standard library is extremely limited (some disk I/O, no network I/O iirc) and there's no well-known way to call external libraries.
But make no mistake - it would not be hard to define an extension which allows PS functions to call native libraries. This is the type of extension that could be easily added to support some purpose, without consideration of how this will increase the risk of a viral load.
Finally, to ask the obvious question of why you would do extensive programming in PS, the reason is simple - it allows your file to adjust itself to the printer. E.g., you might have a file which contains meteorological information on a map. If you print the file on a standard printer you get two dozen reports. But if you print it on a large format printer, you get 4x as much information because the file knows it can push additional information onto the map. Or you might get basic information on a monochrome printer, and additional information on a color printer where you can provide visual distinction between the layers.
In some limited cases, you can even have the PS file compute its own content. I've seen that done with some fractal graphics - you might send a <1k file which causes the printer to sit and think for an hour. Great stuff for confusing MCSEs - the print queue says it's printing a 1k file, but it's been churning away for looooon time.
For every complex problem there is an answer that is clear, simple, and wrong. -- H L Mencken
...feature creep. What does anyone need Javascript or anything "dynamic" in a PDF for, anyhow?
When people start applying the KISS principle judiciously, things will get a whole lot safer.
Easy does it!
This comment has been submitted already, 276865 hours , 59 minutes ago. No need to try again.
Where is the balance?
This is a remarkably easy question to answer if you substitute another area of safety people, even clueless Microsoft users, can understand.
Allow me to paraphrase:
Obviously, if the industry cannot police itself, and the free market doesn't yield acceptable results, government regulation is the only reasonable recourse (libertarian knee-jerk reactions aside). In the case of aircraft the FAA has stepped in, and while their are alot of regulations, as a pilot I can say the vast majority of them are reasonable and do a great deal of good.
Think the aircraft example is too dramatic? Then substitute something else, such as an automobile, a building, or even a child's toy. All of these things have features people would want if they could have them but are incompatible with safety (think seat-belts, firecodes, chilren choking, etc.). In each case the manufacturers were incapable of properly policing themselves and government ended up having to step in (safety codes, building codes, mandatory testing procedures, etc.).
Microsoft has demonstrated its incompetence to such an extreme that fissionable nuclear materials may well have been misplaced as a direct and demonstrable result of poor quality control in their software. They make no apology for this, blaming instead the victims of their own incompetence (their customers) and claiming it is what their customers want (I would beg to differ). Clearly the industry is not policing itself properly, nor, based on the market share Microsoft currently enjoys, is the free market yielding acceptable results. Similar arguments apply to Adobe, its fraudulantly incompetent copy protection for eBooks and its virus-facilitating PDF file format.
I know it is a profoundly unpopular idea (and I'm not terribly thrilled with the notion myself), but perhaps it is time for some basic standards of quality and security to be imposed through some form of regulation. The alternative seems to be more of the same, which is clearly not acceptable.
The Future of Human Evolution: Autonomy
While you are correct in stating that adding VBscript and other such extensions to PDF is stupid, the PDF format was explicity designed with the idea of users being able to view documents in addition to printing them.
PDF was designed as a method for users to share documents without requiring them to all have the software that created the documents. They took a subset of the postscript language and modified it to improve portability (such as font handling), remove some of the printer-specific bits of Postscript, and add features that may be desirable for portable documents (like encryption, for-handling, etc). Yes, the ability to print it correctly was important, but so was on-screen viewing.
That they did a piss-poor job of on-screen previewing (as anyone that uses bitmap fonts in TeX will attest to) in Acrobat notwithstanding, they design it for both viewing and printing.
In order to have your advice.
There's a CNet story on the same news piece here: http://news.cnet.com/news/0-1003-200-6808673.html? tag=mainstry
Dear users,
Please ignore anything we may have said about 'Safe file attachments'. In fact, do not open any of your e-mails, ever again, and, to be safe, just stay in bed.
Thanks
Get the EULA T-shirt
Wow, adobe has struck the Slashdot headlines *again*, and with news that's just as bad, if not worse, than anything else so far...
.pdf file?! The whole point of a pdf is that it is supposed to give you exactly what you get on the paper page, in a platform-independent fashion.. Your printed manual can't execute attachments, can it?! All the joys of excessive featuritis..
I noticed this:
"But Adobe doesn't currently plan to prevent VBScript or other files from running."
And the first thing that comes to mind is "gosh, what a totally stupid policy." All they have to do is NOT pass executable data to the script software...
Who even needs a way to execute scripts OF ANY KIND in a
On another closely related hand, Isn't it great that we can get Outlook macroviruses with out even opening the attachent in outlook? Just think of the thousands of stupid office workers who are going to start spreading macroviruses without even realizing it... Teaching them not to use attachments in OUTLOOK has been hard enough.. to cope with Acrobat as well?! Damn near impossible....
*sigh*
ìì!
About ten years ago there was a postscript virus that Did Things to printers
o stv.txt
There's some info about it here. Was apparantly quite nasty on some hardware, as it changed a password that required an EPROM replacement to correct. This might have been more a "trojan" than a "virus", as I didn't find any references to it spreading itself (just that it could be a payload in clipart or other EPS files).
http://catless.ncl.ac.uk/Risks/10.32.html#subj1
ftp://ftp.minolta-qms.com/pub/cts/out_going/dos/p
http://www.sevenlocks.com/password/pspass.txt
I thought that there was also something a few years ago where viewing a postscript file could alter files on your local machine (buffer overflow in a particular viewer program, unsafe default security settings, or something). However I couldn't find any information, so I might be mis-remembering.
From the article: "The virus spreads only by way of Adobe's Acrobat software--the program used to create PDF documents--not through Acrobat Reader, the free program that is used to view the files"
I don't own Acrobat, and I never will. I have other ways of creating PDFs which are cheaper. Most people don't have Acrobat. Most never will. This virus, thus, can't get far.
You can accomplish anything you set your mind to. The impossible just takes a little longer.
Like no one saw this coming? I mean, if anyone deserves this, Adobe looks like a prime candidate. I mean, after all, trying to find out HOW a virus attacks from a PDF file and trying to STOP it could land you in prison for 5 years...
-Sternn
Me? Cynical?
www.lucernesys.comHorizon: Calendar-based personal finance
So you're proposing more regulation as the answer? I see a serious flaw in this reasoning. Government regulation and laws are already in place to punish those who develop virus code.
That is difficult to say (who can quantify how many potential virus writers are deterred by threat of jailtime? Greater than zero alsmost certainly. Greater than a hundred, a thousand, a million? We really don't know.) However, once again an example from the physical world makes the issue rather clear:
"So you're proposing more regulation as the answer? I see a serious flaw in this reasoning. Government regulation and laws are already in place to punish those who commit acts of arson."
Clearly fire codes were necessary to prevent disasters such as the Chicago fire (which wiped out the entire city in the 19th century and is believed to have been started not by an arsonist, but by simple accident). Laws which punish crimes are often not sufficient to protect the public from negligence on the part of product manufacturers, or even negligence on the part of consumers.
Consider the Ford Pinto, which was prone to explode (violently) when rear-ended. Ramming a Ford Pinto from behind, even by accident, is illegal. Nevertheless that was insufficient to prevent accident which resulted in numerous fiery explosions and needless deaths, nor was it sufficient to get Ford Motor Company to change a design they knew was flawed to begin with. Lawsuits and, yes, additional government regulation were necessary to bring public safety up to an acceptable level. The Free Market and outlawing actions which exacerbated the unsafe conditions which the manufacturers negligence had left in place were very obviously not enough.
So too does it appear to be with software. Some minimal level of security needs to be required. If the industry cannot police itself and the free market isn't up to the task of weeding out the negligent (and both certainly appear to be the case here), then government regulation for the common good is not at all unreasonable.
Of course, as with any act of government, such regulation has the potential to be more harmful than good, but it also has the potential to be more good than harmful (as with, for example, building codes in most cities and FAA regulations). It is incumbant on us as software engineers and Free Software advocates to be out in force, involved in creating any such regulations, such that they are helpful to the industry (and the industry must, by definition, include Free Software) and not detrimental.
I guarantee if we're not, someone else will step up to the plate. Indeed, with the FBI outages and attacks on the White House I'm surprise this process hasn't begun already.
The Future of Human Evolution: Autonomy
As many have already noted, the embedded VBScript will only run when triggered by someone double-clicking on the file annotation included in the PDF while using the full version of Acrobat. Thus, the virus is not particularly dangerous.
The social engineering, however, is pretty amazing. The author has created a neat little PDF "game" that people will want to double-click. And, as he wrote in the text file linked above, he wrote it as a proof of concept. The worm doesn't do much except spread itself using Outlook. I think the scary part, the point the author wanted to make, is that you can embed all sorts of fun things in a PDF file. Some other virus writer could make a new version that does something nasty after it emails itself to every address it can find in your Outlook folders.
Yes, the threat level is low, due to the required combination of software and social engineering. But just because the combination of software is rare doesn't mean that we should disregard the possibility.
Now for a display of massive ignorance: I wonder what a PDF virus could do on a system whose GUI is based on PDF (Mac OS X)?
You think that's bad, wait until you get infected by the "Rotten" PDF virus twice!
It sounds like you just described a web page to me.
Also, it's high time that PDFs came with their own e-mail client so I don't have to go through the pesky details of saving and attaching and that horrible rigamarole. And a web browser so I can go fact-check or check m-w.com before I'm done.
I demand these features in PDF. Just because no one needs them and other applications already do them doesn't mean they shouldn't put them in... right?
Easy does it!
This comment has been submitted already, 276865 hours , 59 minutes ago. No need to try again.
Adobe said any popular software becomes a target for security attacks and Acrobat has crossed that threshold.
I'm convinced that software companies now WANT viruses to run on their software, because it "proves" the software is popular. If I were Adobe, I would distance myself from the virus by saying "PDF's can now carry VBScript viruses, but VBScript is still broken with respect to security, so blame Microsoft for any viruses!" After all, the problem is with the fact that VBScript can't be trusted, not with any inherent security problem in Acrobat.
Instead, Adobe seems to WANT to associate their software with the viruses, because Microsoft has conditioned the media into thinking that having a virus have its way with your software proves that you're the Market Share Leader.
After all, if nobody writes viruses for, say, UNIX platforms, it must mean that they aren't as popular!