Slashdot Mirror

← Back to Stories (view on slashdot.org)

Hacker Finds Multiple PDF Backdoors

Posted by ryuzaki0 on from the watch-where-you-put-that dept.

Gungadin writes "Eweek.com has a story about a British security researcher figuring out a way to manipulate legitimate features in Adobe PDF files to open backdoors for computer attacks. David Kierznowski, a penetration testing expert specializing in Web application testing, has released proof-of-concept code and two sample PDF files to demonstrate how the Adobe Reader program can be rigged to launch Web-based attacks without any user action. He claims there are least seven different ways to backdoor a PDF."

5 of 147 comments (clear)

  1. Non Adobe? by BiggyP · · Score: 4, Insightful

    Ok, i don't have the Adobe reader installed but rather Evince and gPDF, since these lack support for a lot of the additional features of PDF am i any safer?

    --
    Software Freedom Day!.
  2. It's not a vulnerability, it's an exploit... by crazyjeremy · · Score: 4, Insightful
    "I do not really consider these attacks as vulnerabilities within Adobe. It is more exploiting features supported by the product that were never designed for this," Kierznowski said in an e-mail interview with eWEEK.
    Isn't that what a vulnerability is? Exploiting a "feature" in a way not originally intended?
    --
    Funnypics
    1. Re:It's not a vulnerability, it's an exploit... by JustNilt · · Score: 4, Insightful

      It seems a fine line but I think many would consider this an exploit. A vulnerability would be a non-feature that can be exploited in some manner. I could be wrong (as far as speaking for others) but this is my take on it. Again, it seems a little like semantics but it's a line that can be defines quite well.

      --
      You know the thing about UDP jokes? I don't care if you get it or not.
  3. Confused by ndansmith · · Score: 3, Insightful

    After reading the article I am not sure if this is an Adobe Reader problem or a PDF problem. Every example cites an Adobe product, but the "hacker" said, "I do not really consider these attacks as vulnerabilities within Adobe. It is more exploiting features supported by the product that were never designed for this." Translation?

  4. Re:Does anyone else think this is good news? by alain94040 · · Score: 4, Insightful

    Sorry, I got to disagree with this. If you are looking for print quality (as in book), PDF is way ahead of any standard HTML I have ever seen.

    Yes, AcroRead takes longer and longer to load, defeating the purpose of being this ubiquitous reader Adobe is pitching. Yes it's not open.

    But still, it's the saftest way I have found so far to send someone a document so I could be sure that when they open it, it looks exactly like I intended it to look. That to me is key: I care about the looks of what I do.

    Alain.