Exploits not needed to attack via PDF files

Researchers devise ways to get malware onto computers, and even into clean PDF files, without exploiting any holes in the PDF reader software or using JavaScript.

Elinor Mills Former Staff Writer
Elinor Mills covers Internet security and privacy. She joined CNET News in 2005 after working as a foreign correspondent for Reuters in Portugal and writing for The Industry Standard, the IDG News Service and the Associated Press.
Elinor Mills
3 min read
Jeremy Conway created a video to show how his PDF hack works. Jeremy Conway/NitroSecurity

Portable Document Format (PDF) files could be used to spread malware to clean PDF files stored on a target computer running Adobe Acrobat Reader or Foxit Reader PDF software, a security researcher warned on Monday.

Jeremy Conway, product manager at NitroSecurity, created a proof of concept for an attack in which malicious code is injected into a file on a computer as part of an incremental update, but which could be used to inject malicious code into any or all PDF files on a computer.

The attack requires the user of the computer to allow the code to be executed by agreeing to it via a dialog box. However, the attacker could at least partially control the content of the dialog box that appears to prompt the user to launch the executable and thus use social engineering to entice the computer user to agree to execute the malware, said Conway.

Turning off JavaScript would not prevent the attack. It also does not require that the attacker exploit a vulnerability in the PDF reader itself.

The PDF reader incremental update capability "can be used as an infection vector," said Conway. The attack "does not exploit a vulnerability. No crazy Zero-Day (exploit) is needed to make this work."

Conway's proof of concept attack--detailed here with more information here--takes advantage of the same weakness in PDF readers that security researcher Didier Stevens of Belgium discovered a week ago and explained on his blog.

Stevens was able to launch a command and run an executable within a PDF file using a multi-part scripting process. As a result of that research and blog post, researchers at Adobe and Foxit Software are investigating ways to mitigate the risks from such attacks, according to CNET sister site ZDNet.

An Adobe spokeswoman did not have a comment on Conway's hack, but ZDNet posted Adobe's comment on Stevens':

"Didier Stevens' demo relies on functionality defined in the PDF specification, which is an ISO standard (ISO PDF 32000-1:2008)," the statement said. "Section of the specification defines the /launch command. This is an example of powerful functionality relied on by some users that also carries potential risks when used incorrectly. The warning message provided in Adobe Reader and Adobe Acrobat includes strong wording advising users to only open and execute the file if it comes from a trusted source. Adobe takes the security of our products and technologies very seriously; we are always evaluating ways to allow end-users and administrators to better manage and configure features like this one to mitigate potential associated risks."

Foxit provided ZDNet this comment:

"Foxit takes every security concern seriously and we focus our engineering resources at determining the cause of the problem and coming up with a complete and safe solution. Upon hearing of a possible security concern, our development team went to work and a resolution was determined in less than 24 hours and an updated version of the Foxit Reader will be made public in the next 72 hours."

The problem results from the PDF reader software allowing executable files to be opened or launched from within the program, according to Conway. "Most users don't use that additional functionality," he said.

He suggested that PDF software firms could provide a "minimalistic" version of the PDF readers that do not allow other types of programs to be launched and allow users to decide which specific types of executables they want to be able to open within the program.

Update April 6 9:15 a.m. PDT: An Adobe spokeswoman replied Monday night with the same statement above and this: "Users can also turn off this functionality in the Adobe Reader and Adobe Acrobat Preferences by selecting > Edit > Preferences > Categories > Trust Manager > PDF File Attachments and clearing the box 'Allow opening of non-PDF file attachments with external applications.'"