Security stories rarely make the front page around here, but the presumed safe PDF file is going to hit the news. Zero-Day~! is a headline that you don’t want to participate in, and one is predicted for PDF files in the near future. We should therefore remind ourselves of the basics.
Security people use the term “Attack Vector” to describe a route that a presumed malicious person uses to somehow gain control of a computer. The cuddly pdf has been a vector in the past, then Adobe gave it a “sandbox” – which is yet another term of security art. In this case, imagine a place where the program can look at and manipulate the incoming code before allowing it to do something. For example, a pdf is allowed to reproduce graphic files within the text. The program – very quickly – allows that graphic to load up in the internal sandbox only, decides that it is not a secret dagger aiming at the CPU, and lets it pass to the graphics chip.
The news is that someone has figured a way around the sandbox. They can show themselves using a script that exploits Adobe Reader. This someone is letting other blackhats know that the code might be available for their use if they just pay up. The full story can be read here: Experts Warn of Zero-Day Exploit for Adobe Reader — Krebs on Security. That’s right, the bad guys are holding a virtual auction to see who wants to spread the most havoc.
Next solution is: don’t allow PDF files onto production equipment, at all, anymore. Period. The files, no matter who you got them from, cannot be presumed to be innocuous.
If you are creating a file that you know will be going to editors or projectionists or people who might stick it onto production equipment, save it as a PDF/A file. LibreOffice and OpenOffice and Microsoft Office ’07 and ’10 all support this export file version of a pdf. The PDF/A file can’t hide code because it doesn’t allow certain things to run in it.