PDF files have become the de-facto standard for sending documents. We think of them as being relatively innocuous because they are generally not editable. The specs for these documents are very powerful, though. Contained within these specifications is the power to run code within the document. If that sounds a little scary – it should.
PDF documents have become one of the most widely-used attack vectors for malicious code writers. This has been mostly related to security holes in the programs used to interpret .pdf files, specifically Adobe Acrobat Reader and (to a lesser degree) Foxit Reader. Most of these attacks can be thwarted by disabling the javascript execution features of these readers.
The native code-execution features of PDF files are supposed to be sandboxed. We have seen, though, that a “sandbox” is not the digital equivalent of a maximum-security prison. There have been several instances where Java code has managed to “escape” from the sandbox.
Recently, Didier Stevens showed that it is possible to embed malicious code within .pdf files without relying on javascript. Jeremy Conway has also shown that it is possible to create PDF worms that can overwrite and infect other PDF files.
The bottom line – advise all clients to be very cautious about opening PDF files, especially those that are unexpected or from untrusted sources. Attacks have been surfacing in the wild and we may reach the point where even PDF files from trusted sources are a threat.
Both Adobe and Foxit are scrambling to address this issue. In most cases, Adobe (and now Foxit, with the latest patch) will warn before executing code, but the attacker can manipulate the text in the warning dialogue, so there will be efforts to trick users into allowing the code to execute. Warn clients about this!!!
Dennis H in West Virginia, US
April 07, 2010
