Slashdot Mirror
New Method Could Hide Malware In PDFs, No Further Exploits Needed
Trailrunner7 writes "A security researcher has managed to create a proof-of-concept PDF file that executes an embedded executable without exploiting any other security vulnerabilities. The PDF hack, when combined with clever social engineering techniques, could potentially allow code execution attacks if a user simply opens a rigged PDF file. With Adobe Reader, the only thing preventing execution is a warning. Disabling JavaScript will not prevent this."
But for once Adobe is actually more secure than the better alternative Foxit. Adobe PDF Reader at least warns and asks your permission to run the file, but Fox It does neither one but just happily runs it. That fact made me uninstall Foxit for now at least.
Who the hell thought it was a good idea to have dynamic content in a document description language?
Notice you never hear about exploits-of-the-week like this for LaTeX !
"This cannot be patch because it isn't a vulnerability." Uhh yes it can, and sure it is. There are millions of bugs that were entirely by design and the designs adapted to eliminate them. I will grant that they might have to break the PDF spec' to fix it but frankly it is the right thing to do for everyone concerned.
Of course, the average user is known to thoroughly read the warnings and definitely will not click "OK, just get this thing out of my face" within half a second after the dialog box has finished rendering.
If you design a sharp blade into an out-of-the-way spot of a hammer, don't be upset if you get cut while driving nails.
Not every tool is proper for every job. Using PDF as a general-purpose computing language is either mistaken or willfully stupid.
PDF is a document format. It's an output format. It's not a form-entry language. It's not the web. It's not an operating system. It sure as hell shouldn't be able to trigger any open-ended OS action. Its vocabulary of actions and action subjects should be limited...to just PDFs. Interpreted entirely internally.
Any use case that involves running external programs from within the PDF interpreter is a broken use case, caused by misapplying a tool for a purpose it's not properly intended for.
Welcome to the Panopticon. Used to be a prison, now it's your home.
Yeah, because Google doesn't have enough of your info already.
dunno how it holds up as far as security but for basic pdf needs sumatra > foxit imo.. http://blog.kowalczyk.info/software/sumatrapdf/index.html
With the google doc extension, don't you need to be online? Also, that's assuming you don't mind google caching on the pdf you're opening, right?
You've never dealt with a marketing department, clearly.
"Hey, you know what would be cool? What if PDF documents could also play videos?"
"Um.. well, it's technically possible but I don't think that-"
"Great! WE MUST HAVE THIS FEATURE! NOW! DROP EVERYTHING AND GET TO IT!"
Cress, cress, lovely lovely cress
Fuck, those guys are awesome. Let's start the timer for how long it takes Adobe to do the same.
...with a bit of clever social engineering I can get you to open my malware executable directly.
With Adobe Reader, the only thing preventing execution is a warning.
The only thing preventing your browser from executing a binary executable is a warning.
PDF is (or was) a good format and standard; it lets you define documents so that they look the same on any platform, and can be printed on any printer and look identical.
The only problem with it is that it was perfected for this purpose long ago, so Adobe kept adding more and more crap to it.
This is one reason open-source is generally better: when an open-source project is done, the developers leave it that way (unless any bugs are found), and go find something else productive to work on. They don't try to keep justifying their existence by adding more and more bloat to something, to try to make it useful for tasks that other tools are better for. TeX is a good example of this.
Foxit is just as bloated as Adobe. Use Sumatra.