Slashdot Mirror
Hacker Finds Multiple PDF Backdoors
Gungadin writes "Eweek.com has a story about a British security researcher figuring out a way to manipulate legitimate features in Adobe PDF files to open backdoors for computer attacks. David Kierznowski, a penetration testing expert specializing in Web application testing, has released proof-of-concept code and two sample PDF files to demonstrate how the Adobe Reader program can be rigged to launch Web-based attacks without any user action. He claims there are least seven different ways to backdoor a PDF."
Basically, the PDF standard allows for a lot of ways to access data on your local machine, in databases, and through your web browser. It also has mechanisms for running JavaScript, and even executing arbitrary local programs. Some of these things require a user to click on a link in a PDF, and some require just openning the PDF or visiting a specific page in the PDF.
Many of these features are quite helpful for corporate clients, but maybe shouldn't be allowed by default.
In retrospect, some of the other free 3rd part PDF viewers, that don't support those fancy features, might be better for people to use:
http://www.icesoft.com/products/icepdf.html
Use FoxitReader (http://www.foxitsoftware.com), much lighter and faster than Adobe Reader, and probably with its own set of vulnerabilities, but unlikely to be much targeted.
Rome taught me patience and assiduous application to detail. Virtues which temper the boldness of great, general views.
In the article the second "back door demo (PDF)" link just points to the same PDF as the first link. The correct link is:
http://michaeldaw.org/projects/backdoored2.pdf
Load PDFs with Acrobat in seconds