Booby-Trapped PDFs

Back in February,I posted a note here about a study showing that the most popular vehicle for Web-based malicious software was Adobe’s PDF document format.  Software to read this format is very widely installed, across all major platforms (Adobe’s own Reader product is available for Windows, Linux, Mac OS X, and Solaris).  So, I have argued, it is not hard to understand why malicious PDF files are popular with the Bad Guys.

I’m afraid that they’re likely to get even more popular.  A Belgian security researcher, Didier Stevens, has discovered a technique for embedding executable content in a PDF file, so that it will be run automatically when the file is opened.  What makes this technique both novel and worrying is that it does not exploit a security vulnerability.  Instead, it uses a “feature” of the PDF specification that allows the document to specify a “Launch Action” to be executed when the document is opened.  (This is somewhat analogous to the old AUTOEXEC.BAT facility in MS-DOS.)

As M. Stevens discusses in his blog post, opening the file with Adobe Reader results in the display of a warning message; since the document can specify part of the message, he suggests that clever social engineering could result in quite a few clicks on OK.  Some other PDF readers (e.g., Foxit) just silently execute the code without any warning at all.   Stevens’s technique does not use JavaScript, a popular PDF attack vector, at all, so disabling JavaScript, a commonly recommended precaution, will not help at all.   Adobe and other software vendors cannot issue a patch, in the usual sense, because there is no bug in the software being exploited; the flaw is in the specification of the PDF document format.

M. Stevens has informed Adobe of his proof-of-concept PDF, which he has not published (yet).  However, I would expect others to be able to work out how to do this, especially since they have a pretty clear indication of where to look.  We can all hope that Adobe comes up with a clever solution; perhaps Launch Actions could be disabled by default (though that would not eliminate the risk from social engineering).

The broader lesson here is that designing a system that has provision for the automatic execution of code is generally a Really Bad Idea.  (Ask Microsoft about auto-run macros in Office documents, or AUTORUN.INF on CDs.)  It sometimes is necessary to live without a little added convenience for the sake of reasonable security.

Comments are closed.

%d bloggers like this: