Hacker Finds Multiple PDF Backdoors

Gungadin writes "Eweek.com has a story about a British security researcher figuring out a way to manipulate legitimate features in Adobe PDF files to open backdoors for computer attacks. David Kierznowski, a penetration testing expert specializing in Web application testing, has released proof-of-concept code and two sample PDF files to demonstrate how the Adobe Reader program can be rigged to launch Web-based attacks without any user action. He claims there are least seven different ways to backdoor a PDF."

Non Adobe?

[BiggyP]

Ok, i don't have the Adobe reader installed but rather Evince and gPDF, since these lack support for a lot of the additional features of PDF am i any safer?

It's not a vulnerability, it's an exploit...

[crazyjeremy]

"I do not really consider these attacks as vulnerabilities within Adobe. It is more exploiting features supported by the product that were never designed for this," Kierznowski said in an e-mail interview with eWEEK.

Isn't that what a vulnerability is? Exploiting a "feature" in a way not originally intended?

Confused

[ndansmith]

After reading the article I am not sure if this is an Adobe Reader problem or a PDF problem. Every example cites an Adobe product, but the "hacker" said, "I do not really consider these attacks as vulnerabilities within Adobe. It is more exploiting features supported by the product that were never designed for this." Translation?

Re:It's not a vulnerability, it's an exploit...

[JustNilt]

It seems a fine line but I think many would consider this an exploit. A vulnerability would be a non-feature that can be exploited in some manner. I could be wrong (as far as speaking for others) but this is my take on it. Again, it seems a little like semantics but it's a line that can be defines quite well.

Of course

[Anonymous Coward]

As if postscript is not dangerous enough, Adobes PDF attack vector executes javascript. When you're done disabling javascript in the Adobe PDF reader, you should disable it in your browser.

Has everyone downloaded the new version of firefox because 5 out of 7 of the vulns it fixes are javascript related. Why do we have to keep going through this, are people in denial or something? We all know what the problem is. There's only one security advisory I'd like to see for javascript problems, the mother of all advisories:

MSFA 20XX-00 Enabling javascript allows remote code execution

Solution: Disable javascript, on a permanent basis.

Malicious links are a PDF problem?

[Anonymous Coward]

The first back door (PDF), which eWEEK confirmed on a fully patched version of Adobe Reader, involves adding a malicious link to a PDF file. Once the document is opened, the target's browser is automatically launched and loads the embedded link.

Just about anything can automatically open a link. If there is something malicious on the page it is loading, that's a browser problem.

Re:Does anyone else think this is good news?

[Anonymous Coward]

Respectfully disagree.

PDF is incredibly useful...to people other than yourself. The bloat that annoys you so much guarantees layout and color fidelity to people who care about those things. Do you find PostScript printers bloated and wasteful?

Re:Does anyone else think this is good news?

[Anonymous Coward]

HTML and similar document formats do not retain character sets, pagination, and other presentation-related pieces of data. Create a webpage, and view it in different browsers on different OSes with different font sets. The page is not guaranteed to look the same, and most likely will render different on each different browser. PDF, on the other hand, will render the same with every PDF reader.

PDF is designed to be a read-only document presentation format. Sort of a globally understood "print to file" format with some added features. It does this very, very well. It is often abused, however, by people who don't understand the purpose behind the PDF format.

Don't confuse Adobe's somewhat bloated PDF reader's sluggish speed with the format being "slow." Try any of the third-party document readers (xpdf, etc). They are blazingly fast.

Re:Does anyone else think this is good news?

[alain94040]

Sorry, I got to disagree with this. If you are looking for print quality (as in book), PDF is way ahead of any standard HTML I have ever seen.

Yes, AcroRead takes longer and longer to load, defeating the purpose of being this ubiquitous reader Adobe is pitching. Yes it's not open.

But still, it's the saftest way I have found so far to send someone a document so I could be sure that when they open it, it looks exactly like I intended it to look. That to me is key: I care about the looks of what I do.

Alain.

Re:Dear God.

[samurphy21]

You mean like email, word documents and such? God.. who knows?

Re:Core PDF feature

[Craig Ringer]

My mistake - that post is not correct. It appears to actually be using JavaScript as supported by Adobe reader to automatically launch a link. Still, in my view, not a big deal (and my Adobe Reader asks for confirmation anway) but somewhat more valid.