PDF format design flaw endangers PC security
The initiators of the Month of Apple Bugs are going off the beaten path with their sixth bug: a design error in the PDF format can allow prepared documents to cause a PDF application to crash or infect a system with contaminants. The security advisory says that the result depends on the specific application and operating system it is running on. Preview.app 3.0.8 (409) running on Apple Mac OS X, Adobe Acrobat Reader 5.0 to 7.0 on all platforms, xpdf 3.0.1 (patch 2) and gv, kpdf, poppler and other applications based on it, are affected. The, quite popular, Foxit Reader also has trouble with the demo PDF released: in a test at heise Security, it crashed without issuing an error message. Other applications are probably also affected.
LKM, one of the initiators of the MOAB, says that this vulnerability is due to a flaw in the specifications for version 1.3 of the PDF format. In this version the specifications define the objects and data for a document and how the document is to be rendered in the "Catalog Dictionary", but apparently do not define how the program should react to invalid references. It seems the references are assumed to always be valid and invalid entries are not generally caught. This may result in memory violations (null pointer dereferences, buffer overflows, etc.) and memory leaks that cause the program to crash and may even allow code to be injected and executed.
As a workaround, LKM recommends disabling browser plug-ins or switching to Adobe Acrobat Reader 8.0.0, which apparently does not contain the flaw. Switching to the latest version of Adobe Reader has been highly recommended since four holes in the Reader plug-in were made public last week. Because some users cannot switch to version 8, the software vendor has announced that patches will also be released for version 7.x, as the vendor has itself categorized the holes as critical.
- Multiple Vendor PDF Document Catalog Handling Vulnerability, the security advisory at MOAB
- Universal PDF XSS After Party, security advisory at GNUCitizen