Hacker Finds Multiple PDF Backdoors 147
Gungadin writes "Eweek.com has a story about a British security researcher figuring out a way to manipulate legitimate features in Adobe PDF files to open backdoors for computer attacks. David Kierznowski, a penetration testing expert specializing in Web application testing, has released proof-of-concept code and two sample PDF files to demonstrate how the Adobe Reader program can be rigged to launch Web-based attacks without any user action. He claims there are least seven different ways to backdoor a PDF."
Non Adobe? (Score:5, Insightful)
It's not a vulnerability, it's an exploit... (Score:5, Insightful)
Confused (Score:4, Insightful)
Re:It's not a vulnerability, it's an exploit... (Score:4, Insightful)
Of course (Score:2, Insightful)
Has everyone downloaded the new version of firefox because 5 out of 7 of the vulns it fixes are javascript related. Why do we have to keep going through this, are people in denial or something? We all know what the problem is. There's only one security advisory I'd like to see for javascript problems, the mother of all advisories:
Malicious links are a PDF problem? (Score:1, Insightful)
Just about anything can automatically open a link. If there is something malicious on the page it is loading, that's a browser problem.
Re:Does anyone else think this is good news? (Score:2, Insightful)
PDF is incredibly useful...to people other than yourself. The bloat that annoys you so much guarantees layout and color fidelity to people who care about those things. Do you find PostScript printers bloated and wasteful?
Re:Does anyone else think this is good news? (Score:2, Insightful)
PDF is designed to be a read-only document presentation format. Sort of a globally understood "print to file" format with some added features. It does this very, very well. It is often abused, however, by people who don't understand the purpose behind the PDF format.
Don't confuse Adobe's somewhat bloated PDF reader's sluggish speed with the format being "slow." Try any of the third-party document readers (xpdf, etc). They are blazingly fast.
Re:Does anyone else think this is good news? (Score:4, Insightful)
Yes, AcroRead takes longer and longer to load, defeating the purpose of being this ubiquitous reader Adobe is pitching. Yes it's not open.
But still, it's the saftest way I have found so far to send someone a document so I could be sure that when they open it, it looks exactly like I intended it to look. That to me is key: I care about the looks of what I do.
Alain.
Re:Dear God. (Score:2, Insightful)
Re:Core PDF feature (Score:3, Insightful)