Adobe considers changes to mitigate PDF attack

The company has also detailed two ways to prevent an attack detailed last week

By Jeremy Kirk, IDG News Service |  Security 2 comments

April 07, 2010, 7:44 AM Adobe Systems is considering modifying its PDF applications to counter a way to run arbitrary code on Windows computers by embedding it in a malicious PDF file.

Last week, security researcher Didier Stevens detailed a way to run executable code using a different launch command even though PDF applications from Adobe and Foxit don't allow embedded executables to directly run. The attack requires some social engineering.

The particular launch command used by Stevens is defined in the PDF specification (ISO PDF 32000-1:2008) under section 12.6.4.5, wrote Steve Gottwals, a group product manager at Adobe.

"This is a good example of powerful functionality relied upon by some users that also carries potential risks when used incorrectly by others," Gottwals wrote.

Adobe's Reader and Acrobat products do display a warning that only trusted executables should be opened, but Stevens showed how it was possible to modify part of the warning message in order to persuade a user to open the file. The company is considering modifications to the programs.

"We are currently researching the best approach for this functionality in Adobe Reader and Acrobat, which we could conceivably make available during one of the regularly scheduled quarterly product updates," Gottwals wrote.

Older versions of Foxit's Reader did not display a warning message, although the company issued a version 3.2.1 that adds a warning dialog box, according to a company spokesman.

Gottwals wrote that administrators can take steps to mitigate an attack by unchecking a box in the "trust manager" section of "preferences" that allows non-PDF file attachments with external applications to be opened. He also gives instructions for how to modify the registry to prevent users from turning that feature back on.

Although Stevens did not release his entire proof-of-concept code, another security researcher was able to build another kind of attack using part of Stevens' work.

Jeremy Conway, a product manager with NitroSecurity, found a way to spread malicious code across PDF documents on a victim's computer. Conway also modifies the warning message in order to encourage a user to open the malicious PDF. If opened, a malicious payload is added to other PDF files on the computer in a worm-like fashion. The payload could include a Trojan horse program that can log keystrokes and steal passwords.

2 comments

    Anonymous 1 year ago
    Thank you for giving the reference in the standard. I found that very interesting.
    Flag comment  |  Permalink Reply
    Anonymous 1 year ago
    Adobe PDF is bloatware....I would give up pdf files altogether rather than use Adobe.Thank heavens there alternatives.Louis
    Flag comment  |  Permalink Reply

      Add a comment

      Post a comment using one of these accounts
      Or join now
      At least 6 characters

      Note: Comment will appear soon after you have activated your account.
      Obscene/spam comments will be removed and accounts suspended.
      The information you submit is subject to our Privacy Policy and Terms of Service.

      ITworld LIVE

      SecurityWhite Papers & Webcasts

      White Paper

      Overcome Top 7 Admin Challenges of Active Directory

      As Active Directory's role in the enterprise has drastically increased, so has the need to secure the data. Gain insight on creating repeatable, enforceable processes that reduces administrative overhead and enables robust, customizable reporting and auditing capabilities. Brought to you by NetIQ.

      White Paper

      Insiders Can Ruin Your Company. Take Action.

      Did you know that 80 percent of threats to an organization come from the inside? The threat from insiders is often overlooked in organizations worldwide. This white paper from NetIQ, discusses key technology solutions that help to prevent and detect insider threats.

      White Paper

      Top Solutions and Tools to Prevent Devastating Malware

      Custom malware frequently goes undetected. According to Forrester Research, the best way to reduce risk of breach is to deploy file integrity monitoring (FIM) tools that provide immediate alerts. This white paper has been brought to you by NetIQ, the leader in solving complex IT challenges.

      White Paper

      Streamline Compliance and Increase ROI

      Streamline, simplify, and automate compliance related activities; especially those that impact multiple business units. This white paper from NetIQ, outlines solutions that will help your business gain the maximum return on investment possible while aligning your compliance programs.

      White Paper

      X-Ray of the PCI Process-4 Proactive Steps

      This white paper from Forrester Research Inc., helps break PCI into understandable components. Security and risk professionals will gain knowledge and insight into creating a compliant and secure IT environment. Follow these four proactive steps now before your next audit. Brought to you by NetIQ.

      See more White Papers | Webcasts

      Answers - Powered by ITworld

      ITworld Answers helps you solve problems and share expertise. Ask a question or take a crack at answering the new questions below.

      Join Now

      New questions

      Friday fun: What's your guilty pleasure?
      0 answers
      What are the chances that the cloud will kill off the PC?
      0 answers
      How to print from a mobile device
      2 answers
      How to get started developing Android applications
      2 answers
      How to market a mobile app
      2 answers
      View more questions

      Ask a question

      Join Now or Sign In to ask a question.
      Ask a Question