PDF – Friend? or Zero Day Future?

Security stories rarely make the front page around here, but the presumed safe PDF file is going to hit the news. Zero-Day~! is a headline that you don’t want to participate in, and one is predicted for PDF files in the near future. We should therefore remind ourselves of the basics.

Security people use the term “Attack Vector” to describe a route that a presumed malicious person uses to somehow gain control of a computer. The cuddly pdf has been a vector in the past, then Adobe gave it a “sandbox” – which is yet another term of security art. In this case, imagine a place where the program can look at and manipulate the incoming code before allowing it to do something. For example, a pdf is allowed to reproduce graphic files within the text. The program – very quickly – allows that graphic to load up in the internal sandbox only, decides that it is not a secret dagger aiming at the CPU, and lets it pass to the graphics chip.

What has happened in the past is that black hats are using things like graphics files to hide malicious code, like trojan horses or viruses. The idea is that the graphic is allowed, therefore this might slip through without triggering a virus checker. You’ll often hear the word ‘sandbox’ and Javascript, because it is often manipulations of Javascript code in a pdf that is the problem.

The news is that someone has figured a way around the sandbox. They can show themselves using a script that exploits Adobe Reader. This someone is letting other blackhats know that the code might be available for their use if they just pay up. The full story can be read here: Experts Warn of Zero-Day Exploit for Adobe Reader — Krebs on Security. That’s right, the bad guys are holding a virtual auction to see who wants to spread the most havoc.

There are a few solutions to this. Get everyone on a Mac, since this exploit is targetted onto Windows users, especially those who haven’t upgraded to Reader 11. Even with Reader 11, go to Preferences in all versions of Reader and turn off Reader Javascript. Most likely you won’t notice. 

Next solution is: don’t allow PDF files onto production equipment, at all, anymore. Period. The files, no matter who you got them from, cannot be presumed to be innocuous.

If you are creating a file that you know will be going to editors or projectionists or people who might stick it onto production equipment, save it as a PDF/A file. LibreOffice and OpenOffice and Microsoft Office ’07 and ’10 all support this export file version of a pdf. The PDF/A file can’t hide code because it doesn’t allow certain things to run in it.

Stay Aware. 

Leave a Reply