PDF security hole opens can of worms
Proof of concept out
Regcast training : Hyper-V 3.0, VM high availability and disaster recovery
The security perils of PDF files have been further highlighted by new research illustrating how a manipulated file might be used to infect other PDF files on a system.
Jeremy Conway, an application security researcher at NitroSecurity, said the attack scenario he has discovered shows PDFs are "wormable". Computer viruses are capable, by definition, of overwriting other files to spread. Conway's research is chiefly notable for illustrating how a benign PDF file might become infected using features supported by PDF specification, not a software vulnerability as such, and without the use of external binaries or JavaScript.
The "wormable PDF" research comes days after another security researcher, Didier Stevens, showed how it was possible to both embed malicious executables in PDFs and manipulate pop-up dialog boxes to trick victims into running a malicious payload. Both Adobe and FoxIT are working on a fix against the security shortcomings in their respective PDF viewing packages illustrated by the research.
Conway, who last week published an advisory and proof of concept video demo on wormable PDFs, said he was inspired to hunt for related vulnerabilities in the PDF specification by Stevens' research. A fix capable of blocking the security loophole discovered by Stevens ought to also prevent the possibility of 'worming' PDFs. "If the vendors figure out a method to prevent Didier’s example this same fix will stop this proof of concept as well," Conway writes.
A follow-up blog post by Conway explains the implications of the security shortcomings of PDF files in greater depth.
"I chose to infect the benign PDF with another, and launch a hack that redirected a user to my website, but this could have just as easily been an exploit pack and or embedded Trojan binary," Conway explains. "Worse yet this dynamic infection vector could be utilised to populate all PDFs for some new O-day attack, thereby multiplying an attackers infection vehicles while still exploiting user systems ('worm-able')."
An informative blog post by Mikko Hypponen, chief research officer at net security firm F-Secure, explains how all sorts of unexpected content is supported by the PDF specification.
Media files, JavaScript and forms that upload data a user inputs to an external web server are all supported by the PDF specification in addition to embedded executables. These little-known features go a long way towards explaining both why PDF applications such as Adobe Reader takes ages to load and why the file format has become such a firm favourite with hackers over the last year or so, Hypponen notes. ®
COMMENTS
Amen to that
Somewhere back in the mists of time, PDF was simple. Acrobat Reader was simple and small. They did exactly what was necessary to provide a portable document ideally suited to on-screen viewing, printing out and *nothing* *more*.
Then, as usual with these things, the software company responsible had to go ruin it with needless "convenience" features and fancy stuff nobody really needs (Javascript? Embedded executables? How is it a portable document if it's got an OS-specific EXE buried in there anyway? WTF??), and in the process left it full of security holes, not to mention turning a simple document reader program into a full-fledged example of bloat gone wild (a 38MB download for version 9? Really? Their heads have come undone if they think that's acceptable).
You would *think* that someone would have figured this out after the raft of viruses targeted at Word and Excel files, but apparently not.
Usless bloat
If adobe didn't stuff the PDF file format with embedded crap like video we would not have this crap. But then no one would need to spend $150 on an upgrade every year if they didn't keep putting more and more crap into the format (I'm still using V6, nothing in v9 I want).
PDF should just be an electronic version of what you would put on a piece of paper. It should not be an interactive, multimedia, dog and pony show. If I wanted to do that I'd email my invoice to customers in Flash format :P
Looks like virus support has not been completed for Linux
Xpdf's change log does not mention javascript, and one of the design goals is to keep it simple. There is a good chance that Xpdf will remain safe for years/decades. The Gnome and KDE pdf viewers used to use Xpdf's backend library, so old versions of KPDF and GPDF are safe. New versions are switching / have switched to Poppler - a derivative of Xpdf. Poppler got javascript support late in 2009. It looks like animation support is in progress but not yet complete. (I am not sure how to print out an animation ;-).
For full virus support you may have to wait for the gnu pdf library and the viewer (Juggler) that uses it. When complete, Gnu PDF should be able to run portable malware, but so far many malware authors have not made the effort to write portable viruses. Perhaps one day, the open source community will be able to experience the full range of malware available to Windows users, but today, that is still a far off dream. Has anyone got any Microsoft malware that runs properly in WINE?
If you are looking for a new pdf reader, take your pick: http://www.pdfreaders.org/
IT infrastructure monitoring strategies
Agentless Backup is Not a Myth
Top 10 SIEM implementer’s checklist
Steps to Take Before Choosing a Business Continuity Partner
Requirements Checklist for Choosing a Cloud Backup and Recovery Service Provider
