In association with heise online

31 March 2010, 13:07

PDF exploit requires no specific security hole to function

  • Twitter
  • Facebook
  • submit to slashdot
  • StumbleUpon
  • submit to reddit

Bad news: PDF security specialist Didier Stevens has developed a PDF document which is capable of infecting a PC – without exploiting a specific vulnerability. The demo exploit works both in Adobe Reader and in Foxit. Stevens says he used the "Launch Actions/Launch File" option, which can even start scripts and EXE files that are embedded in the PDF document. This option is part of the PDF specification.

Although Adobe Reader asks users to agree to the execution of the file, this dialogue can be designed in such a way that users have no idea they may be allowing an infection in to their systems. The Foxit reader doesn't even provide a warning. The Sumatra PDF reader is said to be unaffected.

Stevens intends to keep his PDF document with the embedded code under wraps until the vendors respond. However, he has provided a document (direct download) which launches the command prompt when the PDF file is opened. When tested by the heise Security team, this worked under Windows 7 with the current versions of Adobe Reader and Foxit. In principle, this concept is also said to be suitable for starting an FTP transfer to download and start a trojan.

While disabling JavaScript in the reader offers no protection, Stevens says that, at least in Adobe Reader, it helps to prevent the program from starting new processes. However, this also disables the automatic update check.

See also:


Print Version | Send by email | Permalink:

  • July's Community Calendar

The H Open

The H Security

The H Developer

The H Internet Toolkit