Slashdot Mirror

← Back to Stories (view on slashdot.org)

New Method Could Hide Malware In PDFs, No Further Exploits Needed

Posted by timothy on from the deploy-linux-countermeasures dept.

Trailrunner7 writes "A security researcher has managed to create a proof-of-concept PDF file that executes an embedded executable without exploiting any other security vulnerabilities. The PDF hack, when combined with clever social engineering techniques, could potentially allow code execution attacks if a user simply opens a rigged PDF file. With Adobe Reader, the only thing preventing execution is a warning. Disabling JavaScript will not prevent this."

7 of 234 comments (clear)

  1. Re:Sad by sopssa · · Score: 5, Insightful

    But for once Adobe is actually more secure than the better alternative Foxit. Adobe PDF Reader at least warns and asks your permission to run the file, but Fox It does neither one but just happily runs it. That fact made me uninstall Foxit for now at least.

  2. further proof D. Knuth was right by Anonymous Coward · · Score: 5, Insightful

    Who the hell thought it was a good idea to have dynamic content in a document description language?

    Notice you never hear about exploits-of-the-week like this for LaTeX !

    1. Re:further proof D. Knuth was right by TheRaven64 · · Score: 5, Insightful

      I can't decide if you're trying to be ironic, but there are no 'vulnerabilities' in LaTeX because the ability to interact with files and run arbitrary programs are part of the language. The reason LaTeX isn't often exploited is that it is very rare to run LaTeX programs from untrusted sources; you distribute the output from the program, not the program itself.

      On a slightly different topic, is there a competition going on in Adobe to see if the Flash or Acrobat teams can collect the most security advisories?

      --
      I am TheRaven on Soylent News
  3. "This cannot be patched" by Manip · · Score: 4, Insightful

    "This cannot be patch because it isn't a vulnerability." Uhh yes it can, and sure it is. There are millions of bugs that were entirely by design and the designs adapted to eliminate them. I will grant that they might have to break the PDF spec' to fix it but frankly it is the right thing to do for everyone concerned.

  4. Re:Sad by c-reus · · Score: 3, Insightful

    Of course, the average user is known to thoroughly read the warnings and definitely will not click "OK, just get this thing out of my face" within half a second after the dialog box has finished rendering.

  5. Re:Clever social engineering... by StoatBringer · · Score: 4, Insightful
    PDF is a document format. It's an output format. It's not a form-entry language. It's not the web. It's not an operating system. It sure as hell shouldn't be able to trigger any open-ended OS action.

    You've never dealt with a marketing department, clearly.

    "Hey, you know what would be cool? What if PDF documents could also play videos?"
    "Um.. well, it's technically possible but I don't think that-"
    "Great! WE MUST HAVE THIS FEATURE! NOW! DROP EVERYTHING AND GET TO IT!"

    --
    Cress, cress, lovely lovely cress
  6. Only a warning? by Spykk · · Score: 3, Insightful

    With Adobe Reader, the only thing preventing execution is a warning.

    The only thing preventing your browser from executing a binary executable is a warning.