back to article Booby-trapping PDF files: A new how-to

A security researcher has demonstrated a mechanism that exploits PDF files without taking advantage of any particular vulnerabilities. Didier Stevens' proof of concept exploit relies on running an executable embedded in a PDF file - something that ought to be blocked - by launching a command that ultimately runs an executable …

COMMENTS

This topic is closed for new posts.
  1. JC 2
    Grenade

    Acrobat Is Vulnerable? /Really/?

    I'll be so glad when the day comes that we can all say good riddance to PDF files, but to hand that document distribution format over Microsoft isn't quite high on my list of hopes either.

    WTF are they thinking allowing a document reader to do anything more than allow reading documents anyway? Another case where they decided to keep piling on features most people don't use and are worse off because of them. Hello again MS.

    1. Elmer Phud
      FAIL

      Why PDF?

      Not everybody has copies of software used to create all the documents and images that get sent out. Not everybody want to have copies of al the software - just in case.

      I send out pdf's to make things simple as I know people will have some form of pdf reader available. I use Page Plus as it's cheap and easier to use that things like MS Publisher (spit spit). I use pdf's (via Page Plus) to create simple instructions for equipment use - reducing the bullshit down to a few lines of text and some pictures. I don't need to get Word for that - I like it all in separate boxes I can move around with ease and then publish as pdf to send to everybody - not "Now, who has this software" and "I wonder if they are running . . .".

      What else can I use to make life easy instead of hoping that Word users can open stuff I've created in Open Office? So i use O.O. and export as pdf rather than saving as a Word file and praying that which ever version of Word it ends up on manages to open the document properly, wth all the bits in the right places.

      Throwing out the baby and the bathwater and the bath without having another baby and bath to hand is not a good idea. Hello MS? -- the rest of us re trying to run in the other direction, away from being tied to MS.

      What's the replacement for pdf then if MS isn't high on your list - Shirley you've got something in mind.

      1. Anonymous Coward
        Anonymous Coward

        I used to agree ...

        ... but I've started releasing all docs as HTML.

        Okay, so the browser isn't 100% secure either, but if you're using one app to retrieve and view a doc instead of two ... decreased attack surface.

  2. Winkypop Silver badge
    Joke

    PDF

    Pre Determined Fail ?

  3. Tom 7

    @JC 2

    Document distribution is, in computing terms, an historical mistake.

    A document is out of date the moment it is 'printed'.

    Get away from 19thC office concepts and try using your computer as a computer and not a typewriter - you'll get a lot more value from it and save a fortune too!

    1. Anonymous Coward
      Anonymous Coward

      J'agree

      Use a webpage for docs. That satisfies the up-to-date criteria (caching notwithstanding) and allows for (instantly revocable) fine-grained access control as well. Quite useful when certain clients don't understand the concept of "private".

      The webtubes is not a distribution channel. It is an availability channel. Get with the 21 of C and all that.

  4. Mostor Astrakan
    Welcome

    When I were a lad...

    It was impossible to get a virus from a document file, because it didn't get executed. Who was it again that thought embedding executables in document files was a good idea?

  5. Anonymous Coward
    Gates Halo

    Why...

    I was under the impression that adobe PDF reader was just that, a reader!! Not a platform that can easily manipulated to launch effin exe files.

    For the record, i use sumatra padf reader because its small, clean and doesnt install elevnty twelvety undeeded plugins. I mean FFS even the microsoft powerpoint viewer is tiny in comparison to adobe.

    The sooner people realise that there are alternatives out there (hoover/vacuum syndrome) the better our computer security will be. I bet there wouldnt be this issue if we had to pay for adobes reader but because its free and well known, its the de-facto reader for almost everybody. That included myself until only quite recently as i am one of the "i know how to keep my PC safe and secure" brigade, but there is nowt i can do against clever programmers employing underhand tacticts to force, yep FORCE their shit on me. Effin adobe....

  6. John Sturdy

    Remember the ancestry of PDF

    Although PDF is "just a file format", its heritage comes from PostScript, a page description language -- i.e. a full programming language generally used to draw pages.

  7. Robert Carnegie Silver badge

    There are viruses in all kinds of documents.

    Five and a half years ago - "Microsoft Security Bulletin MS04-041

    Vulnerability in WordPad Could Allow Code Execution (885836)"

    There are audio player viruses, video viruses, JavaScript vulnerabilities, web font viruses... everything has viruses. But PDF kind of has them built in.

    However - just because PDF can contain media, links, and executable code, a PDF viewer doesn't -have- to do all those things.

    By the way.... how does a "browser plugin" protect you from local attacks? If it's rendering PDFs in the browser then presumably it's doing that locally.

  8. Harry
    FAIL

    "What else can I use to make life easy"

    How about plain, simple, scriptless HTML -- viewable in any browser and, with intelligent layout, will adapt itself to the size of the user's window instead of requiring the user to adapt their window to the document.

    By far the worst characteristic of PDF for document distribution is that the document usually looks like a printed document instead of a document intended for screen display. Thus we have user-hostile multi-column layouts -- because the original document was intended to be folded and the document's owner was too bone idle to reformat it into a single column for distribution.

    Hmm, I've even come across documents intended for tent-fold printing, where part of the document displays UPSIDE DOWN on screen.

    PDF is appropriate for sending documents from originator to printing company, but that's ALL it should be used for.

    1. Elmer Phud
      Boffin

      Print from HTML?

      Don''t need browser just to send documents, posters, leaflets etc.

      Don't need to knock it up somewhere else in HTML with a 'intelligent layout' (that'd fox most people for a start). Prinitng HTML is so much fun with browsers deciding to add margins and headers/footers no matter how much you click on 'no'. If I want to send something that can be printed as A4 I'm not going to fart aruond with HTML.

      I can just see all those corporate bods beavering away at Word then clicking on the 'publish as HTML' button. If you thought pdf's were funny - MS Office stuff as HTML (and that's not normal HTML) is even funnier.

      If a pdf doesn't look right then it's not necessarily any 'fault' of anyone.

      If it's a menu copy then it's usually based on a folded document format - standard for a menu.

      If the original document was meant to be folded - print the bloody thing out and fold it if it's too hard to read - it was created as something meant to print not flattened out on a screen.

      Tent-fold printing - either print it out -like it was supposed to be done - or flip the thing over.

      Doc files are notorious for trying to open in Open Office - odd formatting that is native to MS but supposedly transportable.

      I've just finished a poster, heavy on graphics and text effects, what else should I use to transmit it and have it for others to print?

  9. Wize

    @Tom7

    "A document is out of date the moment it is 'printed'."

    Which is very helpful. You don't want customers changing the specification of the job they want you do to. You design freeze it. Have a fixed document at a fixed revision. Changes are therefore recorded at specific revision milestones.

    1. ElReg!comments!Pierre

      Changing PDFs is trivial

      If you don't trust your customers not to change the specs, PDF won't save you. It is very easy to edit a PDF. Not as trivial as modifying PostScript files (the PS language was designed to be somewhat human-readable), but very easy nonetheless.

  10. Harry

    NO, do NOT print web documents!

    That's the crux of the problem.

    Web documents should be for READING, not for printing. And that's why most web documents should be done in HTML not PDF.

    You mention the problems that happen when exporting printed documents to HTML but: that's because the HTML converter is trying to resemble the printed layout instead of creating the most easily-read document.

    Documents generally start simple. The originator of the text probably didn't use multiple columns or a tent fold layout. They almost always began as standard single-column paragraphs, until somebody decided to reformat them for printing.

    So, go BACK to the originator's simple manuscript which will be ten times easier to convert to simple single-column HTML. That's the document that should be put on the web, NOT the PDF.

    1. Tom 13

      Get off you high dudgeon.

      I've never seen a tent card in a document that wasn't intended to be a tent card from the originator.

      PDFs have their place in the wild wild web. What ought not have a place in the wild wild web is ActiveX crap that MS brought out so long ago under a name I have now thankfully forgotten. Yes, PDF came from the Postscript Page markup language, but in it's original 1.0 incarnation all it did was fix the page layout of the document for distribution on the appropriate sized piece of paper. If they had stayed there instead of trying to keep up with the Gateses it would still be a useful and safer format.

  11. MontyMole

    PDF Viewer

    I'd like to see Microsoft produce a free PDF viewer. At least it would more secure than Adobe's version!

    1. Chemist

      Re : PDF Viewer

      There's a joke alert icon for that kind of comment

      1. Player_16

        Did't you realise...

        It's April Fools!

  12. Anonymous Coward
    FAIL

    Oh noes!

    So it turns out that it isn't just Flash that's insecure, PDFs are inherently insecure as well! Well done again Adobe!

    Everything Adobe even look at seems to have more (security) holes than a piece of swiss cheese!

    It takes real talent for a company to make Microsoft look like they know what they're doing!

  13. asdf
    FAIL

    Easy response

    >It takes real talent for a company to make Microsoft look like they know what they're doing!

    Even M$ unlike Adobe is not dumb enough to farm out their entire codebase to third world sweatshops paying $1 a day. Adobe's software practices and software are some of the worse in the industry because with developers you generally get what you pay for.

    1. Anonymous Coward
      Flame

      Temporary work visas almost as bad as outsourcing

      "Even M$ unlike Adobe is not dumb enough to farm out their entire codebase to third world sweatshops paying $1 a day."

      No, but M$ likes to hire foreigners on temporary work visas, pay them less than U.S. citizens, then ship 'em home again before they stick around long enough to start demanding raises. Foreigners will work for less, even while in the U.S.

      A while back there was a big lay-off of Microsoft workers (U.S. citizens) while at the *same* time Microsoft was seeking sh1tloads of the aforementioned temporary workers. Nothing like putting corporate profits ahead of national well-being, eh.

      Maybe that's not *quite* as bad as bonafide outsourcing, but Microsoft is still getting workers who'll work for less, then disposing of said workers before they become inconvenient.

      Just another standard business model.

  14. Alice Andretti
    Joke

    I thought it said *boob* trapping...

    ... and was expecting to read about the new bra features in Adobe Reader.

  15. Charles 9
    WTF?

    My two cheapest coins...

    My personal choice is the PDFXchange viewer. Apart from a tiny piece of upgrade nagging in the menu bar I found it to fill my needs.

    Once upon a time, PDF was competing with other portable document format. One that pops to mind was Common Ground. I think it was the first to tout that its reader was free. Wonder if that was the Adobe's inspiration to do the same.

    I'll agree with the sentiment of feature bloat. All I've ever wanted PDF to do was reproduce my documents WYSIWYG-style. Its capacity for photos, vectors, and text was perfectly fine. Internal linking, TOCs, and Indexing were fine, too--all internal and with analogies to real books. It's all this multimedia and Internet jazz that's sent it off the mark. You have to settle it down at some point or it's no longer a document...but a presentation.

    Here's a thought. Has anyone thought about trying a different portable document format, like say DjVu, which is supposedly more advanced and better in keeping with the idea of a portable DOCUMENT format?

This topic is closed for new posts.