New Method Could Hide Malware In PDFs, No Further Exploits Needed

Trailrunner7 writes "A security researcher has managed to create a proof-of-concept PDF file that executes an embedded executable without exploiting any other security vulnerabilities. The PDF hack, when combined with clever social engineering techniques, could potentially allow code execution attacks if a user simply opens a rigged PDF file. With Adobe Reader, the only thing preventing execution is a warning. Disabling JavaScript will not prevent this."

With Foxit Reader

[wiredog]

There's no warning at all. It just runs.

*nix vulnerable too?

[cpuh0g]

What happens on *nix versions of Adobe Reader - OS/X, Solaris, Linux, etc?

Re:*nix vulnerable too?

[Onymous+Coward]

/OpenAction <<
   /F <<
     /DOS (C:\\\\WINDOWS\\\\system32\\\\calc.exe)
     /Unix (/usr/X11R6/bin/xcalc)
     /Mac (/Applications/Calculator.app)
     /TheAnswerIs (yeah\\\\i/think\\\\so)
   >>
   /S /Launch
>>

Re:further proof D. Knuth was right

[pclminion]

PDF has some superficial syntactic similarities to PostScript. Beyond that, it is not at all like PostScript. The reason the content stream language of PDF is PostScript-like is because it made it easy to print PDF by simply blowing the content stream out as PostScript, accompanied by the appropriate ProcSets. Such usage is deprecated these days -- ProcSets are no longer required to be declared, and modern PDFs can't be printed by blowing the content stream directly to the printer any more.

Even in the areas where PDF looks like PostScript, it's fundamentally different. There is no operand stack. There are no control flow operators. If you start trying to create a PDF under the impression that it's just like PostScript, you'll fail miserably.