In association with heise online

08 January 2007, 12:36

PDF format design flaw endangers PC security

  • Twitter
  • Facebook
  • submit to slashdot
  • StumbleUpon
  • submit to reddit

The initiators of the Month of Apple Bugs are going off the beaten path with their sixth bug: a design error in the PDF format can allow prepared documents to cause a PDF application to crash or infect a system with contaminants. The security advisory says that the result depends on the specific application and operating system it is running on. 3.0.8 (409) running on Apple Mac OS X, Adobe Acrobat Reader 5.0 to 7.0 on all platforms, xpdf 3.0.1 (patch 2) and gv, kpdf, poppler and other applications based on it, are affected. The, quite popular, Foxit Reader also has trouble with the demo PDF released: in a test at heise Security, it crashed without issuing an error message. Other applications are probably also affected.

LKM, one of the initiators of the MOAB, says that this vulnerability is due to a flaw in the specifications for version 1.3 of the PDF format. In this version the specifications define the objects and data for a document and how the document is to be rendered in the "Catalog Dictionary", but apparently do not define how the program should react to invalid references. It seems the references are assumed to always be valid and invalid entries are not generally caught. This may result in memory violations (null pointer dereferences, buffer overflows, etc.) and memory leaks that cause the program to crash and may even allow code to be injected and executed.

As a workaround, LKM recommends disabling browser plug-ins or switching to Adobe Acrobat Reader 8.0.0, which apparently does not contain the flaw. Switching to the latest version of Adobe Reader has been highly recommended since four holes in the Reader plug-in were made public last week. Because some users cannot switch to version 8, the software vendor has announced that patches will also be released for version 7.x, as the vendor has itself categorized the holes as critical.

In the meantime, it turns out that the XSS holes in the plug-in do a lot more to spy on a PC than merely steal cookies. When a prepared URL is linked to a locally saved PDF file, the JavaScript code attached to the URL also runs locally and therefore has access to local resources. While the attack requires knowledge of where a PDF document is saved to be successful, unfortunately Adobe Reader itself includes a document in PDF format that always has the same path.

See also:


Print Version | Send by email | Permalink:

  • July's Community Calendar

The H Open

The H Security

The H Developer

The H Internet Toolkit