Slashdot Mirror

← Back to Stories (view on slashdot.org)

PDF Virus Spotted

Posted by michael on from the xpdf-not-vulnerable dept.

Jethro73 writes: "Adobe's popular PDF file format [...] has generally been considered immune to viruses. But a new virus carried by programs embedded in PDF files raises concerns that the format itself could become susceptible. Read about it here and at coderz.net."

14 of 244 comments (clear)

  1. Postscript is a complete language by coyote-san · · Score: 4, Interesting

    Postscript is a complete language, the only reason it doesn't make a good viral platform is that the standard library is extremely limited (some disk I/O, no network I/O iirc) and there's no well-known way to call external libraries.

    But make no mistake - it would not be hard to define an extension which allows PS functions to call native libraries. This is the type of extension that could be easily added to support some purpose, without consideration of how this will increase the risk of a viral load.

    Finally, to ask the obvious question of why you would do extensive programming in PS, the reason is simple - it allows your file to adjust itself to the printer. E.g., you might have a file which contains meteorological information on a map. If you print the file on a standard printer you get two dozen reports. But if you print it on a large format printer, you get 4x as much information because the file knows it can push additional information onto the map. Or you might get basic information on a monochrome printer, and additional information on a color printer where you can provide visual distinction between the layers.

    In some limited cases, you can even have the PS file compute its own content. I've seen that done with some fractal graphics - you might send a <1k file which causes the printer to sit and think for an hour. Great stuff for confusing MCSEs - the print queue says it's printing a 1k file, but it's been churning away for looooon time.

    --
    For every complex problem there is an answer that is clear, simple, and wrong. -- H L Mencken
  2. And you can thank... by dave-fu · · Score: 5, Interesting

    ...feature creep. What does anyone need Javascript or anything "dynamic" in a PDF for, anyhow?
    When people start applying the KISS principle judiciously, things will get a whole lot safer.

    --
    Easy does it!
    This comment has been submitted already, 276865 hours , 59 minutes ago. No need to try again.
    1. Re:And you can thank... by LetterJ · · Score: 5, Insightful

      Why Javascript in PDF? Ever pay taxes? Javascript in PDF works well for forms that have to be printed and mailed, but they'd prefer typed entries to handwritten. It lets you do those inane calculations on the boxes on the US 1040 form and carry data to other fields. It lets you only enter the necessary data and eliminates mistakes based on simple math. Also useful for forms that want things like your name on the top of pages 2-99. Fill in your name on page 1 and it carries through. Want to have an online version of your form and want no legal problems by having two versions of the same form? Put the PDF of the print form on with Javascript validation. Just because you don't have a need for a feature in PDF doesn't mean that it wasn't necessary or isn't useful to someone.

      --

      The Glass is Too Big: My Take on Things
    2. Re:And you can thank... by SCHecklerX · · Score: 5, Interesting
      It lets you do those inane calculations on the boxes on the US 1040 form and carry data to other fields. It lets you only enter the necessary data and eliminates mistakes based on simple math. Also useful for forms that want things like your name on the top of pages 2-99. Fill in your name on page 1 and it carries through. Want to have an online version of your form and want no legal problems by having two versions of the same form? Put the PDF of the print form on with Javascript validation.

      And all of those things could be achieved with an online form, processed and verified on the backend that the administrators have *FULL* control over. Have you ever written a javascript 'application?' Did you know that the '+' symbol is used for both string concatanation and for addition? And usually, javascript will pick the wrong operation : 2+2='22', for example. Yeah, that's how I want my tax information calculated, NOT!

      This is almost the same shit I just had to go through with Pennsylvania's braindead online unemployment comensation registration. They did EVERYTHING as a FSCKING javascript/ActiveX client side app. UGH! It is so broken that I ended up just downloading a text form from the web site and faxing that in.

      Can someone please explain to me why anybody, ESPECIALLY A GOVERNMENT AGENCY, would write things so heavily dependent on client-side tools?

      Below is the letter I wrote to them:

      ...doesn't work at all under Netscape, Mozilla, Lynx, Links, KFM or Konqueror on linux.

      I did not test Netscape or Mozilla under Windows or Macintosh, but the problems could be there as well.

      In IE under windows, it caused a GPF 3/4 of the way through, and in several instances did not load properly, not allowing me to fill out fields that were required. Also in IE, your code causes a security alert on *EVERY PAGE* when using Microsoft's default security settings.

      WHY are you depending on so much client side code for what amounts to nothing more than a series of forms that are used to feed a back end database? There is NO EXCUSE for a GOVERNMENT AGENCY to be excluding all types of people (including the blind, or the poor who could be accessing your page from a text-only, no javascript browser) from filing for UC Benefits online. It is simply unacceptable.

      I am very disappointed in what you have slapped together to file claims online, and hope that you fix it for future unemployed folks who would like to file their claims themselves online, saving everyone time and effort.

      Yes, simple javascript can save some time by providing immediate feedback for data verification to the end user...but you depend far too heavily on it. What about people who are using browsers with no javascript enabled at all? They cannot file online. This also breaks a very basic security rule: You can't trust things coming from a client. ALL DATA should be verified on the backend itself.

      Since your application is totally useless for me, I decided to use a fax fill out form instead (linked on the same page as the electronic application). Well, it's a week later, and I haven't heard anything, so I called the Lancaster Unemployment Office. The representative there informed me that the preferred method is to file over the telephone, as faxes "can get lost, or sit on someone's desk for a week before being processed." Lovely. Why is the preferred (telephone) method not stated on the web page?

      Please re-write the online application. It can be a great tool to file online, but the way it has been done is error-prone and excludes a rather large set of people from using it. These people are then forced to use other methods, causing the entire system to be much less efficient.

  3. Apply the same arguments to other areas of safety by FreeUser · · Score: 5, Insightful
    Typical customers want their email client to open attachments for them. Typical customers want Acrobat to be able to process VBScript (according to Adobe). Unfortunately, typical customers don't want to be raped by script kiddies and haX0rz either--but they don't seem to be willing to sacrifice their features for it.

    Where is the balance?

    This is a remarkably easy question to answer if you substitute another area of safety people, even clueless Microsoft users, can understand.

    Allow me to paraphrase:


    "Typical customers want to be able to board the plane without delay. Typical customers want to be able to take as much baggage as they luck, up to and including the Steinway. Unfortunately, typical customers don't want to die horribly in a plane crash -- bugt they don't seem to be willing to sacrifice their features for it.

    Where is the balance?"


    Obviously, if the industry cannot police itself, and the free market doesn't yield acceptable results, government regulation is the only reasonable recourse (libertarian knee-jerk reactions aside). In the case of aircraft the FAA has stepped in, and while their are alot of regulations, as a pilot I can say the vast majority of them are reasonable and do a great deal of good.

    Think the aircraft example is too dramatic? Then substitute something else, such as an automobile, a building, or even a child's toy. All of these things have features people would want if they could have them but are incompatible with safety (think seat-belts, firecodes, chilren choking, etc.). In each case the manufacturers were incapable of properly policing themselves and government ended up having to step in (safety codes, building codes, mandatory testing procedures, etc.).

    Microsoft has demonstrated its incompetence to such an extreme that fissionable nuclear materials may well have been misplaced as a direct and demonstrable result of poor quality control in their software. They make no apology for this, blaming instead the victims of their own incompetence (their customers) and claiming it is what their customers want (I would beg to differ). Clearly the industry is not policing itself properly, nor, based on the market share Microsoft currently enjoys, is the free market yielding acceptable results. Similar arguments apply to Adobe, its fraudulantly incompetent copy protection for eBooks and its virus-facilitating PDF file format.

    I know it is a profoundly unpopular idea (and I'm not terribly thrilled with the notion myself), but perhaps it is time for some basic standards of quality and security to be imposed through some form of regulation. The alternative seems to be more of the same, which is clearly not acceptable.
    --
    The Future of Human Evolution: Autonomy
  4. I send you this pdf... by lavaforge · · Score: 5, Funny

    In order to have your advice.

  5. Related CNet Story by Anonymous Coward · · Score: 4, Informative

    There's a CNet story on the same news piece here: http://news.cnet.com/news/0-1003-200-6808673.html? tag=mainstry

  6. Re:Postscript virus by mmontour · · Score: 4, Insightful

    About ten years ago there was a postscript virus that Did Things to printers

    There's some info about it here. Was apparantly quite nasty on some hardware, as it changed a password that required an EPROM replacement to correct. This might have been more a "trojan" than a "virus", as I didn't find any references to it spreading itself (just that it could be a payload in clipart or other EPS files).

    http://catless.ncl.ac.uk/Risks/10.32.html#subj1
    ftp://ftp.minolta-qms.com/pub/cts/out_going/dos/po stv.txt
    http://www.sevenlocks.com/password/pspass.txt

    I thought that there was also something a few years ago where viewing a postscript file could alter files on your local machine (buffer overflow in a particular viewer program, unsafe default security settings, or something). However I couldn't find any information, so I might be mis-remembering.

  7. Not worried by JediTrainer · · Score: 4, Informative

    From the article: "The virus spreads only by way of Adobe's Acrobat software--the program used to create PDF documents--not through Acrobat Reader, the free program that is used to view the files"

    I don't own Acrobat, and I never will. I have other ways of creating PDFs which are cheaper. Most people don't have Acrobat. Most never will. This virus, thus, can't get far.

    --

    You can accomplish anything you set your mind to. The impossible just takes a little longer.
    1. Re:Not worried by abischof · · Score: 4, Interesting

      FreePDF purports to convert documents to PDF for free, via a faux-printer-driver (for Win32). I have yet to try it, but its setup does look kinda complicated.

      --

      Alex Bischoff
      HTML/CSS coder for hire

  8. Karma by Sternn · · Score: 4, Funny

    Like no one saw this coming? I mean, if anyone deserves this, Adobe looks like a prime candidate. I mean, after all, trying to find out HOW a virus attacks from a PDF file and trying to STOP it could land you in prison for 5 years...

    --
    -Sternn
  9. Re:Adobe legal defense by tb3 · · Score: 4, Interesting
    Check the second link. The author is 'Zulu' and he says he from Argentina. He gives us the full source code for the damn thing. He also specs out a number of other possible senarios for viruses in PDf files. If Macafee, Symantec, et al were on the ball, they'd be checking sites like this, so they could nip these things in the bud. But then they'd never get their names on CNET and ZDNET every other day.

    Me? Cynical?

    --

    www.lucernesys.comHorizon: Calendar-based personal finance

  10. That's amazing. by dave-fu · · Score: 4, Funny

    It sounds like you just described a web page to me.
    Also, it's high time that PDFs came with their own e-mail client so I don't have to go through the pesky details of saving and attaching and that horrible rigamarole. And a web browser so I can go fact-check or check m-w.com before I'm done.
    I demand these features in PDF. Just because no one needs them and other applications already do them doesn't mean they shouldn't put them in... right?

    --
    Easy does it!
    This comment has been submitted already, 276865 hours , 59 minutes ago. No need to try again.
  11. Do they WANT virii? by imadork · · Score: 5, Insightful
    In the ZDNET Article, it has this statement:

    Adobe said any popular software becomes a target for security attacks and Acrobat has crossed that threshold.

    I'm convinced that software companies now WANT viruses to run on their software, because it "proves" the software is popular. If I were Adobe, I would distance myself from the virus by saying "PDF's can now carry VBScript viruses, but VBScript is still broken with respect to security, so blame Microsoft for any viruses!" After all, the problem is with the fact that VBScript can't be trusted, not with any inherent security problem in Acrobat.

    Instead, Adobe seems to WANT to associate their software with the viruses, because Microsoft has conditioned the media into thinking that having a virus have its way with your software proves that you're the Market Share Leader.

    After all, if nobody writes viruses for, say, UNIX platforms, it must mean that they aren't as popular!