PDF Security Vulnerability

Forum Moderators: phranque

Message Too Old, No Replies

PDF Security Vulnerability

The first of what could be many

MatthewHSE

2:58 pm on Sep 18, 2006 (gmt 0)

PDF Backdoors Discovered [quarkvsindesign.com]

The beginning of the end. Why, oh why did Adobe have to start putting in all those extra features? Almost anybody here could have told them what would happen...

Beyond these, Kierznowski claims to have found seven more points for launching malicious code from withing otherwise legitimate PDF files, and hinted that Acrobat’s JavaScript model may allow even more.
In a comment on his own blog post, Kierznowski said of the potential to exploit PDFs: “I still think we are only scratching the surface.”

kaled

4:31 pm on Sep 18, 2006 (gmt 0)

This will strengthen the opinion of many that the PDF format is a heap of steaming ...

Kaled.

danny

3:59 am on Sep 19, 2006 (gmt 0)

Are these really "PDF backdoors", though, or bugs in Acrobat Reader? Unless they exploit weaknesses in the actual PDF spec, and are cross-platform, they're not really a PDF issue per se.

amznVibe

4:09 am on Sep 19, 2006 (gmt 0)

All the better reason to roll back to adobe reader 4.0?
It's wickedly faster than 5.0 + 6.0
When was javascript introduced into pdf?

There's always the open source ghostscript pdf viewer.

adfree

4:46 am on Sep 19, 2006 (gmt 0)

Wondering how and when they will set up a new, more aggressive patching cycle.

tedster

11:50 am on Sep 19, 2006 (gmt 0)

This is a Windows exploit but it looks like there's a major security risk for secure corporate data here. Malicious code can exploit weaknesses in Adobe Database Connectivity (ADBC) on Windows -- tapping into Access, Excel, FoxPro, MS-SQL, Outlook and Exchange e-mail systems, Lotus Notes, Lotus Domino, and FileMaker Pro among others. Then...

A PDF carrying a malware payload can use the ADBC connection to the host computer’s ODBC to tunnel out into any other ODBC-connected database, potentially accessing every piece of confidential data on the targeted system.

MatthewHSE

4:04 pm on Sep 19, 2006 (gmt 0)

One thing I'm not clear about is whether or not these vulnerabilities are directly related to javascript in PDF files or not. It sounds to me like javascript definitely is causing some problems, but there seem to be hints that not all of the vulnerabilities mentioned are tied in with javascript.

Whatever the security holes may be, this is bad news for people who must work with teams or otherwise accept files from people who may be all for utilizing Acrobat and PDF to it's "full potential." Let's face it, no matter how much we may recognize the dangers of the vulnerable features, and no matter how much we would like to use an alternative, non-vulnerable PDF viewer, the fact remains that a lot of us may not always have a choice.

coopster

5:42 pm on Sep 19, 2006 (gmt 0)

When was javascript introduced into pdf?

I don't believe it is actually a part of their PDF spec, so to speak. As far as when was it introduced in the Adobe Acrobat product? I want to say version 4 but I cannot confirm ...

[partners.adobe.com...]

coopster

6:11 pm on Sep 19, 2006 (gmt 0)

I found this in the Acrobat JavaScript Scripting Reference ...

HISTORICAL NOTE:
JavaScript dates back to Adobe Exchange 3.01. JavaScript functionality was added to this version by means of the "Acrobat Forms Author Plug-in 3.5 Update".

And I believe I can also stop and correct myself here ... seems it is indeed a part of the PDF spec as of 1.3.

JavaScript Actions
A JavaScript action (PDF 1.3) causes a script to be compiled and executed by the
JavaScript interpreter.

This was found in the current PDF Reference (1.6).