Back in February,I posted a note here about a study showing that the most popular vehicle for Web-based malicious software was Adobe’s PDF document format. Software to read this format is very widely installed, across all major platforms (Adobe’s own Reader product is available for Windows, Linux, Mac OS X, and Solaris). So, I have argued, it is not hard to understand why malicious PDF files are popular with the Bad Guys.
I’m afraid that they’re likely to get even more popular. A Belgian security researcher, Didier Stevens, has discovered a technique for embedding executable content in a PDF file, so that it will be run automatically when the file is opened. What makes this technique both novel and worrying is that it does not exploit a security vulnerability. Instead, it uses a “feature” of the PDF specification that allows the document to specify a “Launch Action” to be executed when the document is opened. (This is somewhat analogous to the old
AUTOEXEC.BAT facility in MS-DOS.)
M. Stevens has informed Adobe of his proof-of-concept PDF, which he has not published (yet). However, I would expect others to be able to work out how to do this, especially since they have a pretty clear indication of where to look. We can all hope that Adobe comes up with a clever solution; perhaps Launch Actions could be disabled by default (though that would not eliminate the risk from social engineering).
The broader lesson here is that designing a system that has provision for the automatic execution of code is generally a Really Bad Idea. (Ask Microsoft about auto-run macros in Office documents, or
AUTORUN.INF on CDs.) It sometimes is necessary to live without a little added convenience for the sake of reasonable security.