Monday, April 5, 2010

PDF's are the new vector for malware - and now PDF worms are coming

I've ranted in the recent past about PDF vulnerabilities based on exploitable holes or embedded javascript.

Now comes the real warning about the near future:  A built-in feature inherent to the PDF format can be used to run arbitrary code on your machine . . . without using javascript or any actual vulnerabilities.  The only mitigation is that Adobe at least asks the user if code might be run -- but some tricky social hacking can still cause unaware users to click OK on the wrong box.

Worse, another growing competitor to Adobe: Foxit PDF, does not even warn the user that code is about to be invoked.  It just quietly lets the code run without any user interaction!

For a YouTube video demo of this nasty feature in action:
PDF: Launch a Command

For a downloadable test to try your luck with your favorite third party PDF reader see:
Escape from PDF credit to Didier Stevens.

And for the extension of this logic towards the inevitable PDF driven worm, see:
Are PDF's Wormable?

YouTube Video: PDF Worm Demo - No JavaScript Required

The authors are not releasing the method, but I can tell you that once the concept is released, which it has been, someone on the wrong side will figure it out soon enough.

Adobe, Foxit and other PDF reader providers need to look into this ASAP.

Edit: Thanks to theweaselking in the comment below -- Foxit Reader has an update that will change the behavior to match Adobe's product in this scenario. If you use Foxit make sure you've accepted the latest updates.

Of course - I would rather have three changes from both companies.

1) Make the message that asks the user for permission immutable.

2) Give us an option to turn off the third party viewer feature entirely -- just like we can turn off JavaScript in the Preferences. Such calls from within a PDF would be totally ignored.

3) Bonus! How about fixing Adobe and Foxit so they run properly as a Low Integrity Process in Vista and Windows 7 (and Windows Server 2008 / R2.) Mandatory Integrity Control in Win 7 and Vista works very well as another barrier to malware by forcing high risk processes to run at lower permissions than the OS. Unfortunately many popular utilities that should be considered high risk do not take advantage of this feature.

1 comment:

  1. The *most current* version of Foxit - released April 2nd 2010 - corrects this vulnerability and changes the behaviour to match Adobe Reader's - a popup box with a warning.

    ReplyDelete

Comments are welcome but moderated to prevent spam links. I usually check them at least once a day in the evenings - so please be patient with me if your comment does not appear quickly.

Thank you.