Proof of concept code demonstrated to Secure Computing showed how Adobe’s popular Portable Document Formet could become a massive attack vector for malware distributors.
Paul Henry of Secure Computing first began spreading the word in January about a potentially bad situation with PDF files. Proof of concept code emerged that showed how JavaScript could be embedded in a PDF, to execute when opened.
Henry said Adobe patched that particular problem. Until a flood of PDF spam began hitting inboxes for a few weeks over the summer, and stopping almost as quickly as they started, PDF as a threat left the radar.
After chatting with Henry for this article, I learned there is a new reason to fear the PDF, even though Adobe considers PDF not to be a threat. The original researcher who shared the proof of concept code with Henry in January has done so again.
It’s a new way to embed JavaScript in those files. The researcher told Henry he will not share proof of concept code this time. Malicious uses of the technique, which has been disclosed to Adobe, could be easy to replicate from the POC.
The example POC from January could show the local C: drive’s contents upon execution. Attackers could create something exploiting this newest embed threat that would steal files and upload them, or download malicious files from a remote server.
The widespread use of PDF in business environments, not to mention the Web 2.0 crowd’s love of embedded content, could turn a corrupt PDF into a full-fledged outbreak. Systems running anti-malware scanning should fare better against arriving PDF malware, but all computer users should be as wary of PDF these days as they are of any content or links sent by unknown users, or unexpectedly from known senders.
