Slashdot Mirror

← Back to Stories (view on slashdot.org)

PDF Virus Spotted

Posted by michael on from the xpdf-not-vulnerable dept.

Jethro73 writes: "Adobe's popular PDF file format [...] has generally been considered immune to viruses. But a new virus carried by programs embedded in PDF files raises concerns that the format itself could become susceptible. Read about it here and at coderz.net."

6 of 244 comments (clear)

  1. And you can thank... by dave-fu · · Score: 5, Interesting

    ...feature creep. What does anyone need Javascript or anything "dynamic" in a PDF for, anyhow?
    When people start applying the KISS principle judiciously, things will get a whole lot safer.

    --
    Easy does it!
    This comment has been submitted already, 276865 hours , 59 minutes ago. No need to try again.
    1. Re:And you can thank... by LetterJ · · Score: 5, Insightful

      Why Javascript in PDF? Ever pay taxes? Javascript in PDF works well for forms that have to be printed and mailed, but they'd prefer typed entries to handwritten. It lets you do those inane calculations on the boxes on the US 1040 form and carry data to other fields. It lets you only enter the necessary data and eliminates mistakes based on simple math. Also useful for forms that want things like your name on the top of pages 2-99. Fill in your name on page 1 and it carries through. Want to have an online version of your form and want no legal problems by having two versions of the same form? Put the PDF of the print form on with Javascript validation. Just because you don't have a need for a feature in PDF doesn't mean that it wasn't necessary or isn't useful to someone.

      --

      The Glass is Too Big: My Take on Things
    2. Re:And you can thank... by SCHecklerX · · Score: 5, Interesting
      It lets you do those inane calculations on the boxes on the US 1040 form and carry data to other fields. It lets you only enter the necessary data and eliminates mistakes based on simple math. Also useful for forms that want things like your name on the top of pages 2-99. Fill in your name on page 1 and it carries through. Want to have an online version of your form and want no legal problems by having two versions of the same form? Put the PDF of the print form on with Javascript validation.

      And all of those things could be achieved with an online form, processed and verified on the backend that the administrators have *FULL* control over. Have you ever written a javascript 'application?' Did you know that the '+' symbol is used for both string concatanation and for addition? And usually, javascript will pick the wrong operation : 2+2='22', for example. Yeah, that's how I want my tax information calculated, NOT!

      This is almost the same shit I just had to go through with Pennsylvania's braindead online unemployment comensation registration. They did EVERYTHING as a FSCKING javascript/ActiveX client side app. UGH! It is so broken that I ended up just downloading a text form from the web site and faxing that in.

      Can someone please explain to me why anybody, ESPECIALLY A GOVERNMENT AGENCY, would write things so heavily dependent on client-side tools?

      Below is the letter I wrote to them:

      ...doesn't work at all under Netscape, Mozilla, Lynx, Links, KFM or Konqueror on linux.

      I did not test Netscape or Mozilla under Windows or Macintosh, but the problems could be there as well.

      In IE under windows, it caused a GPF 3/4 of the way through, and in several instances did not load properly, not allowing me to fill out fields that were required. Also in IE, your code causes a security alert on *EVERY PAGE* when using Microsoft's default security settings.

      WHY are you depending on so much client side code for what amounts to nothing more than a series of forms that are used to feed a back end database? There is NO EXCUSE for a GOVERNMENT AGENCY to be excluding all types of people (including the blind, or the poor who could be accessing your page from a text-only, no javascript browser) from filing for UC Benefits online. It is simply unacceptable.

      I am very disappointed in what you have slapped together to file claims online, and hope that you fix it for future unemployed folks who would like to file their claims themselves online, saving everyone time and effort.

      Yes, simple javascript can save some time by providing immediate feedback for data verification to the end user...but you depend far too heavily on it. What about people who are using browsers with no javascript enabled at all? They cannot file online. This also breaks a very basic security rule: You can't trust things coming from a client. ALL DATA should be verified on the backend itself.

      Since your application is totally useless for me, I decided to use a fax fill out form instead (linked on the same page as the electronic application). Well, it's a week later, and I haven't heard anything, so I called the Lancaster Unemployment Office. The representative there informed me that the preferred method is to file over the telephone, as faxes "can get lost, or sit on someone's desk for a week before being processed." Lovely. Why is the preferred (telephone) method not stated on the web page?

      Please re-write the online application. It can be a great tool to file online, but the way it has been done is error-prone and excludes a rather large set of people from using it. These people are then forced to use other methods, causing the entire system to be much less efficient.

  2. Apply the same arguments to other areas of safety by FreeUser · · Score: 5, Insightful
    Typical customers want their email client to open attachments for them. Typical customers want Acrobat to be able to process VBScript (according to Adobe). Unfortunately, typical customers don't want to be raped by script kiddies and haX0rz either--but they don't seem to be willing to sacrifice their features for it.

    Where is the balance?

    This is a remarkably easy question to answer if you substitute another area of safety people, even clueless Microsoft users, can understand.

    Allow me to paraphrase:


    "Typical customers want to be able to board the plane without delay. Typical customers want to be able to take as much baggage as they luck, up to and including the Steinway. Unfortunately, typical customers don't want to die horribly in a plane crash -- bugt they don't seem to be willing to sacrifice their features for it.

    Where is the balance?"


    Obviously, if the industry cannot police itself, and the free market doesn't yield acceptable results, government regulation is the only reasonable recourse (libertarian knee-jerk reactions aside). In the case of aircraft the FAA has stepped in, and while their are alot of regulations, as a pilot I can say the vast majority of them are reasonable and do a great deal of good.

    Think the aircraft example is too dramatic? Then substitute something else, such as an automobile, a building, or even a child's toy. All of these things have features people would want if they could have them but are incompatible with safety (think seat-belts, firecodes, chilren choking, etc.). In each case the manufacturers were incapable of properly policing themselves and government ended up having to step in (safety codes, building codes, mandatory testing procedures, etc.).

    Microsoft has demonstrated its incompetence to such an extreme that fissionable nuclear materials may well have been misplaced as a direct and demonstrable result of poor quality control in their software. They make no apology for this, blaming instead the victims of their own incompetence (their customers) and claiming it is what their customers want (I would beg to differ). Clearly the industry is not policing itself properly, nor, based on the market share Microsoft currently enjoys, is the free market yielding acceptable results. Similar arguments apply to Adobe, its fraudulantly incompetent copy protection for eBooks and its virus-facilitating PDF file format.

    I know it is a profoundly unpopular idea (and I'm not terribly thrilled with the notion myself), but perhaps it is time for some basic standards of quality and security to be imposed through some form of regulation. The alternative seems to be more of the same, which is clearly not acceptable.
    --
    The Future of Human Evolution: Autonomy
  3. I send you this pdf... by lavaforge · · Score: 5, Funny

    In order to have your advice.

  4. Do they WANT virii? by imadork · · Score: 5, Insightful
    In the ZDNET Article, it has this statement:

    Adobe said any popular software becomes a target for security attacks and Acrobat has crossed that threshold.

    I'm convinced that software companies now WANT viruses to run on their software, because it "proves" the software is popular. If I were Adobe, I would distance myself from the virus by saying "PDF's can now carry VBScript viruses, but VBScript is still broken with respect to security, so blame Microsoft for any viruses!" After all, the problem is with the fact that VBScript can't be trusted, not with any inherent security problem in Acrobat.

    Instead, Adobe seems to WANT to associate their software with the viruses, because Microsoft has conditioned the media into thinking that having a virus have its way with your software proves that you're the Market Share Leader.

    After all, if nobody writes viruses for, say, UNIX platforms, it must mean that they aren't as popular!