Adobe, FoxIt investigating PDF executable hack

Adobe, FoxIt investigating PDF executable hack

Summary: Security response teams at Adobe and FoxIt are investigating ways to mitigate a new PDF hack that allows the execution of an embedded executable without exploiting any security vulnerabilities.

SHARE:

Security response teams at Adobe and FoxIt are investigating ways to mitigate a new PDF hack that allows the execution of an embedded executable without exploiting any security vulnerabilities.

A demo of the PDF hack has been published to show how a hacker could employ social engineering techniques to launch code execution attacks if a user simply opens a rigged PDF file.

Here's the official response from Adobe:

Didier Stevens' demo relies on functionality defined in the PDF specification, which is an ISO standard (ISO PDF 32000-1:2008). Section 12.6.4.5 of the specification defines the /launch command. This is an example of powerful functionality relied on by some users that also carries potential risks when used incorrectly. The warning message provided in Adobe Reader and Adobe Acrobat includes strong wording advising users to only open and execute the file if it comes from a trusted source. Adobe takes the security of our products and technologies very seriously; we are always evaluating ways to allow end-users and administrators to better manage and configure features like this one to mitigate potential associated risks.

[ SEE: Hacker finds a way to exploit PDF files, without a vulnerability ]

The company did not say how it planned to mitigate the issue but it's likely a future Adobe Reader update will feature stricter warnings when dealing with embedded executables using the /launch command.

Foxit Software, which markets an alternative to Adobe's Reader, plans to ship a patch very soon to address this issue:

"Foxit takes every security concern seriously and we focus our engineering resources at determining the cause of the problem and coming up with a complete and safe solution. Upon hearing of a possible security concern, our development team went to work and a resolution was determined in less than 24 hours and an updated version of the Foxit Reader will be made public in the next 72 hours.

follow Ryan Naraine on twitter

The problem was first discussed by researcher Didier Stevens who created a proof-of-concept PDF file showing how an executable file can be launched directly from Adobe Reader or FoxIt without the use of an actual software vulnerability.

Although PDF viewers like Adobe Reader and Foxit Reader doesn’t allow embedded executables (like binaries and scripts) to be extracted and executed, Stevens discovered another way to launch a command (/Launch /Action), and ultimately run an executable he embedded using a special technique.

With Adobe Reader, the user gets a warning asking for approval to launch the action, but I can (partially) control the message displayed by the dialog. Foxit Reader displays no warning at all, the action gets executed without user interaction.

Stevens said Adobe’s PDF Reader will block the file from automatically opening but he warned that an attacker could use social engineering tricks to get users to allow the file to be opened. With Foxit Reader, there is no warning whatsoever.

According to this note, this hacking technique is already in use in the pen-testing community.

Topic: Enterprise Software

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

9 comments
Log in or register to join the discussion
  • Facinating...

    But offcourse while I'm using FoxIt i only read PDFs that I either made or found on my school website so the probability of infection is low
    Ceridan
  • Does this......

    Affect users that are running with least privileges?
    OhTheHumanity
  • works only on windoze

    Linux is safe
    Linux Geek
    • Most worthwhile things only work on Windows

      Oh ... and Windows can be just as secure as Linux if you want it to be.

      Thanks for playing.
      de-void-21165590650301806002836337787023
      • RE: Most worthwhile things only work on Windows

        I disagree. The design of Windows is less secure then that of Linux. A security hole of Windows is more likely to have serious effects, then an equivalent hole on Linux.

        You might find http://www.theregister.co.uk/2004/10/22/security_report_windows_vs_linux/ interesting reading.
        codefisher
        • Really?

          An article from 2004? Back in the early days of XP? Have anything from around 2007 at least?

          I persoanlly think some Linux distro's are more secure than Windows, but at least get an updated refrence.

          I should also note that all this Linux security seems to come with a price. It makes it harder for users to do advanced functions (not that most need to). Thats the line MS has to walk, where Linux just goes for security and Mac goes for funtionality.

          Ease of use: Mac > Windows > Linux
          Security: Linux > Windows > Mac

          The above is just my opinion.
          Cobra7fac
          • Most of that article is about fundamental design concepts.

            Is anything in it outdated besides "Windows has [i]only
            recently[/i] evolved from a single-user design to a multi-user
            model" and "A Comparison of 40 [i]Recent[/i] Security Patches"?

            I think the rest of it still stands.
            AzuMao
  • Haha, even Ryan double posts sometimes.

    This story is a repost of http://blogs.zdnet.com/security/?p=5929
    AzuMao
    • hmm..

      i noticed that too
      nothing new here *moves along*
      techvirago