It’s no wonder we have so much trouble with certain constructs in computing, like PDF files, for some people spend lots of time trying to break them, or otherwise do things with them that the original authors of the format could not have envisioned.

A story in PCMagazine this morning tells of how one researcher is able to execute code without exploiting any known vulnerability, noting that various PDF readers do things to warn the user, while sometimes no warning is given with others.

PDF researcher Didier Stevens has been working lately on ways to execute arbitrary code out of PDF files and has come up with a new and surprising one: He can run an executable embedded inside a PDF without exploiting a vulnerability. Stevens isn’t revealing the details of the technique yet.

Different PDF readers react differently to the technique. Adobe reader displays the warning dialog above. (follow link above to see it)

Stevens can make the attack more likely to succeed by changing the contents of the box: Instead of the file name it could say "Please click Open" or some other social engineering message.

But Foxit Reader, which many users have switched to, supposedly for security reasons, doesn’t even display a warning dialog. It just automatically executes the embedded EXE. A commenter to Stevens’s post gives a story of a related vulnerability, and Stevens says it’s not uncommon for Foxit to blindly execute dangerous activities in cases where Adobe’s software warns the user.

I also tested Nuance’s free PDF reader. It said opens a dialog box that says cannot open file "cmd.exe".

If there really is no vulnerability involved then we’ll have to wait and see what approach Adobe and other vendors take to this issue. Adobe could just choose to identify it more precisely and give a stronger warning dialog box. Foxit could choose to do something, anything.

So once again, a program designed to be more secure than the original, is not. The reason I stay with Adobe is because they have a staff of people who are on top of these things, and because I also have a good idea of what happens when bad code gets executed. For others that are not as attentive to what happens on their computer, paying attention to the updates for Adobe Reader and keeping an antimalware solution up-to-date is the best defense.


Opera, the fastest and most secure web browser

≡≡ Ḟᴵᴺᴵ ≡≡