• Trials & Downloads
  • Thuis/Kantoor aan huis producten
  • Producten voor MKB en Enterprise
  • Malware Cleaner
  • Installers
• • Corporate
  • Norge
  • France
  • Deutschland
  • Sverige
  • Danmark
  • Suomi
  • Nederland
  • Schweiz
  • España
  • United States
  • United Kingdom
  • Italia
• Over Norman
  • Vision & Values
  • Management Team
  • Onze technologie
  • Onderscheidingen en certificaten
  • Klanten cases
  • Pers & Media centrum
  • Events
  • Vacatures
  • Inschrijving e-maillijst
  • Contact

Beveiligingscentrum

Scary technique utilizing functionality in the PDF specification

2010-04-07 [Exploit analysis, Malware discussion, Software advisories, Spreading mechanisms]

Introduction

Exploitation of how applications handle files in the Portable Document Format (PDF) is one of the most used techniques to successfully create malicious software. Usually this is accomplished by utilizing vulnerabilities in the applications used to read PDF documents, like the very popular free program, Adobe Reader.

Look: No exploit!

The security researcher, Didier Stevens, recently published information on his blog about a proof-of-concept attack that does not rely on a traditional vulnerability exploit. Instead he (allegedly) uses a two part technique involving clever utilization of the PDF format specification, combined with some social engineering:

1. A special non-standard technique is used to launch a program file embedded in the PDF file.
2. The warning message that is displayed is manipulated in such a way that it appears more tempting for a user to accept running the embedded file.

Both Adobe Reader with the default program configuration, and the alternative free PDF viewer Foxit Reader¹ are said to be vulnerable to this technique.

¹ When information about the vulnerability was first published, Foxit Reader did not even display the warning message. This has later been corrected in an updated version of Foxit Reader, which now is said to behave in the same manner as Acrobat Reader.

As of this writing we have no reports of malware in the wild that utilizes this technique. One should note that Didier Stevens did not publish the source code for the exploit, even though partial proof-of-concept is available from his blog. As of now the latest information from Stevens regarding this vulnerability is this posting 6 April. However, there are reason to believe that this will be heavily discussed, and used for malicious purposes. We already see examples of variants, including proof-of-concepts, with infection of other PDF files.

Food for thought

The PDF specification available from Adobe's web site is a very complex document - almost 750 pages. It is also available for purchase from International Organization for Standardization (ISO) as an official ISO document.

Whenever something gets very complex, it is difficult to fully comprehend all consequences of combining different parts. This also applies for software, and in this case a file format.

One may argue that the vulnerability discussed in this security article is yet another example of the fact that functionality often proves to be security's worst enemy.
Fixing this particular problem may be difficult (even impossible?) without changing the PDF specification itself, which is a rather time-consuming process.

Update 2010.04.08

Adobe has published information about how to mitigate the risks involved in this issue.  A change in the program's preferences is required. We refer to the posting in Adobe Reader Blog for details.

Update 2010.06.30

Adobe has again address this vulnerability in its updates for Adobe Reader and Acrobat 29 June 2010. We refer to this posting in Adobe Reader Blog for details.

• Privacy verklaring
• Licentieovereenkomst
• Algemene verkoopvoorwaarden
• Handelsmerken
• Sitemap
• Contact

© Norman ASA