New Method Could Hide Malware In PDFs, No Further Exploits Needed

Trailrunner7 writes "A security researcher has managed to create a proof-of-concept PDF file that executes an embedded executable without exploiting any other security vulnerabilities. The PDF hack, when combined with clever social engineering techniques, could potentially allow code execution attacks if a user simply opens a rigged PDF file. With Adobe Reader, the only thing preventing execution is a warning. Disabling JavaScript will not prevent this."

Re:Sad

[sopssa]

But for once Adobe is actually more secure than the better alternative Foxit. Adobe PDF Reader at least warns and asks your permission to run the file, but Fox It does neither one but just happily runs it. That fact made me uninstall Foxit for now at least.

further proof D. Knuth was right

Who the hell thought it was a good idea to have dynamic content in a document description language?

Notice you never hear about exploits-of-the-week like this for LaTeX !

Re:further proof D. Knuth was right

[TheRaven64]

I can't decide if you're trying to be ironic, but there are no 'vulnerabilities' in LaTeX because the ability to interact with files and run arbitrary programs are part of the language. The reason LaTeX isn't often exploited is that it is very rare to run LaTeX programs from untrusted sources; you distribute the output from the program, not the program itself.

On a slightly different topic, is there a competition going on in Adobe to see if the Flash or Acrobat teams can collect the most security advisories?