Original URL: http://www.theregister.co.uk/2010/04/06/wormable_pdfs/
PDF security hole opens can of worms
Proof of concept out
The security perils of PDF files have been further highlighted by new research illustrating how a manipulated file might be used to infect other PDF files on a system.
The "wormable PDF" research comes days after another security researcher, Didier Stevens, showed how it was possible to both embed malicious executables in PDFs and manipulate pop-up dialog boxes to trick victims into running a malicious payload. Both Adobe and FoxIT are working on a fix against the security shortcomings in their respective PDF viewing packages illustrated by the research.
Conway, who last week published an advisory and proof of concept video demo on wormable PDFs, said he was inspired to hunt for related vulnerabilities in the PDF specification by Stevens' research. A fix capable of blocking the security loophole discovered by Stevens ought to also prevent the possibility of 'worming' PDFs. "If the vendors figure out a method to prevent Didier’s example this same fix will stop this proof of concept as well," Conway writes.
A follow-up blog post by Conway explains the implications of the security shortcomings of PDF files in greater depth.
"I chose to infect the benign PDF with another, and launch a hack that redirected a user to my website, but this could have just as easily been an exploit pack and or embedded Trojan binary," Conway explains. "Worse yet this dynamic infection vector could be utilised to populate all PDFs for some new O-day attack, thereby multiplying an attackers infection vehicles while still exploiting user systems ('worm-able')."
An informative blog post by Mikko Hypponen, chief research officer at net security firm F-Secure, explains how all sorts of unexpected content is supported by the PDF specification.