New Method Could Hide Malware In PDFs, No Further Exploits Needed

Trailrunner7 writes "A security researcher has managed to create a proof-of-concept PDF file that executes an embedded executable without exploiting any other security vulnerabilities. The PDF hack, when combined with clever social engineering techniques, could potentially allow code execution attacks if a user simply opens a rigged PDF file. With Adobe Reader, the only thing preventing execution is a warning. Disabling JavaScript will not prevent this."

No executable required?

[keytoe]

I don't understand how someone can say that it doesn't exploit a reader to operate. That implies that opening the file in, say, a text editor will somehow trigger the exploit. I find that claim highly dubious. What about a hex editor? Running 'cat'?

At some point, in order for the exploit to trigger, some executable must operate on the data enclosed in the file. It is therefore an exploit in an executable, and thus it is important to know which executables are vulnerable. Saying anything else is disingenuous and nothing but rampant fear mongering.