The Decline and Fall of the Adobe PDF

If you haven’t already heard yet, there’s another security vulnerability in the Adobe’s widely used portable document format (PDF).  What’s different this time around is that the security hole affects not only a single vendor’s product (still looking at you, Adobe), but many alternate products that utilize the PDF specification itself.  Take a look at the two links below to see how one newly discovered vulnerability has morphed into something far more dangerous:

Initial Report: http://blog.didierstevens.com/2010/03/29/escape-from-pdf/

Today’s Update: http://siemblog.com/2010/04/implications-of-recent-pdf-launch-hacks/

For those disinclined to wade through the technical discussion, they essentially state that it is now possible for an attacker to modify a PDF file, any PDF file, in such a way as to embed executable code that will run upon opening a document.  User’s receiving and opening such a file  a user will still be presented with a prompt requesting permission to launch the code, something an intelligent and informed user should recognize as an immediate red flag, but, as the examples in the above links illustrate, an attacker can modify part of the language of the prompt to be something as apparently benign as “Click OK to view this PDF”.  As most uninformed users will blow past such prompts without so much as a second’s pause to consider the actual content, the probability of a successful exploit is high.  If such a user allows the code to execute, it can do pretty much whatever an attacker wishes it to do: Erase files, launch malware installers, or, as the second link explains, infect every other PDF on the system by applying an incremental update that allows new executable code to be injected into previously saved, and previously clean, PDF files.  It’s the “I Love You” virus all over again. Read the rest of this entry »