In association with heise online

19 September 2006, 09:26

PDF documents as possible attack vectors

  • Twitter
  • Facebook
  • submit to slashdot
  • StumbleUpon
  • submit to reddit

That PDF files can also contain JavaScript is old news - Adobe Reader and Adobe Acrobat have supported JavaScript since version 4 to allow better user interaction. Nevertheless, many users are still surprised by what happens when they open some PDF files. Until now Office documents containing macros have been considered to represent the main danger. But JavaScript is notorious for allowing all sorts of mischief, as British security expert David Kierznowski explains in his blog.

Kierznowski describes three ways of carrying out indirect attacks on users using prepared PDF files. He illustrates the point by providing two downloadable demo files. The first, on loading, opens, without the assistance of the user, a window in the preferred browser. Under certain circumstances, this may take a user to websites which exploit vulnerabilities in their browser to infiltrate malware onto their system or install trojans.

Kierznowski also provides a second demo file, which illustrates how, without asking the user, Acrobat establishes a connection to a database using Adobe Database Connectivity and queries data. The two examples may only scratch the surface of what attacks may be possible, but they demonstrate the potential. Kierznowski is certain that Adobe's version of JavaScript offers sufficient opportunities to compromise a system. He himself lacks the requisite creativity. As well as the standard JavaScript 1.5 scripting options, Adobe's JavaScript derivative also provides additional options and functions.

Users should consider whether they wish to be quite so care-free about opening PDF files in future. Nonetheless, help is at hand. JavaScript can simply be deactivated using the preferences option on the edit menu. Unfortunately, on opening the demo document, Adobe Reader and Acrobat continue to ask the user whether JavaScript should be executed or whether an external website should be opened. An alternative, for the Reader at least, is offered by the Foxit Reader, which is both quick and slim. It also supports, from Version 2.0 onward, JavaScript, but it at least requires the user explicitly to download and install a plugin.

JavaScript in Adobe products has already caused security problems in the past. For example, it was possible to infiltrate malicious plugins into the plugins folder, which would be loaded the next time the program was started. In the Mac version of the Reader and Acrobat, it was even possible to call other programs using JavaScript.

See also:


Print Version | Send by email | Permalink:

  • July's Community Calendar

The H Open

The H Security

The H Developer

The H Internet Toolkit