Jeremy Conway, product manager at NitroSecurity, created a proof of concept for an attack in which malicious code is injected into a file on a computer as part of an incremental update, but which could be used to inject malicious code into any or all PDF files on a computer.
The attack requires the user of the computer to allow the code to be executed by agreeing to it via a dialog box. However, the attacker could at least partially control the content of the dialog box that appears to prompt the user to launch the executable and thus use social engineering to entice the computer user to agree to execute the malware, said Conway.
Turning off JavaScript would not prevent the attack. It also does not require that the attacker exploit a vulnerability in the PDF reader itself.
The PDF reader incremental update capability "can be used as an infection vector", said Conway. The attack "does not exploit a vulnerability. No crazy Zero-Day (exploit) is needed to make this work."
Conway's proof of concept attack takes advantage of the same weakness in PDF readers that security researcher Didier Stevens of Belgium discovered a week ago and explained on his blog.
Stevens was able to launch a command and run an executable within a PDF file using a multi-part scripting process. As a result of that research and blog post, researchers at Adobe and Foxit Software are investigating ways to mitigate the risks from such attacks, according to ZDNet Asia's sister site ZDNet.
An Adobe spokeswoman did not have a comment on Conway's hack, but ZDNet posted Adobe's comment on Stevens':
"Didier Stevens' demo relies on functionality defined in the PDF specification, which is an ISO standard (ISO PDF 32000-1:2008)," the statement said. "Section 12.6.4.5 of the specification defines the /launch command. This is an example of powerful functionality relied on by some users that also carries potential risks when used incorrectly. The warning message provided in Adobe Reader and Adobe Acrobat includes strong wording advising users to only open and execute the file if it comes from a trusted source. Adobe takes the security of our products and technologies very seriously; we are always evaluating ways to allow end-users and administrators to better manage and configure features like this one to mitigate potential associated risks."
Foxit provided ZDNet this comment:
"Foxit takes every security concern seriously and we focus our engineering resources at determining the cause of the problem and coming up with a complete and safe solution. Upon hearing of a possible security concern, our development team went to work and a resolution was determined in less than 24 hours and an updated version of the Foxit Reader will be made public in the next 72 hours."
The problem results from the PDF reader software allowing executable files to be opened or launched from within the program, according to Conway. "Most users don't use that additional functionality," he said.
He suggested that PDF software firms could provide a "minimalistic" version of the PDF readers that do not allow other types of programs to be launched and allow users to decide which specific types of executables they want to be able to open within the program.
This article was first published as a blog post on CNET News.