Despite the improvements Adobe has developed for Acrobat and Reader, it’s still tough to stay on top of creative hackers who love to use the PDF.
To that end, security researchers like Didier Stevens finds ways to hack into an application in order to anticipate potential vulnerability points and any associated security risks that can occur.
Well, he found one last week for the PDF. And this one can get you more easily than you think.
On his blog, Stevens writes:
“PDF viewers like Adobe Reader and Foxit Reader don’t allow embedded executables (like binaries and scripts) to be extracted and executed. . . But I found another way to launch a command (/Launch /Action), and ultimately run an executable I embedded using a special technique.”
According to Stevens, all it takes is a single confirmation click from the user. Unlike most PDF attacks you’re probably most familiar with, this one involves a warning dialog box.
By simply modifying a message, one could easily dupe users into clicking on a button that will open up the file and run the executable.
Think of it. Most of us don’t pay much attention to confirming application launches. Usually, a quick scan is the only attention we’ll give it (Vista and its pesky confirmation dialog boxes comes to mind).
Stevens found that Foxit Reader and Adobe Reader exhibited different results from the attack when tested. If you have Foxit Reader, for instance, there would be no warning dialog box cushioning you from the attack.
However, the latest update to Foxit Reader has fixed that, but has also opened up some new side effects which Stevens details here.
What’s also alarming is that the “/Launch” functionality is documented within the PDF specification. In other words, the function could be used by any malicious user looking to exploit the PDF.
In fact, Stevens’ work has already been used by NitroSecurity product manager, Jeremy Conway, to test build more serious attacks that could result from the function.
Although, this scenario attack is just that, there are a few suggested tips over at the Adobe Reader Blog you should try out in order to prevent any related potential threats that might occur.
