PDF virus spreads without exploiting any flaw
A new proof-of-concept attack has shown how a PDF virus hidden in a program launch action could be used to infect clean PDFs too.
A security researcher has demonstrated a proof-of-concept attack that could allow malicious PDF files to spread to other PDF files on a system without exploiting a specific vulnerability.
Jeremy Conway, a product manager at NitroSecurity, built on the work done by fellow security specialist Didier Stevens to come up with an attack that could spread malicious code into clean PDFs as part of an incremental update.
Last week, Stevens showed how a program launch action triggered by the opening of a PDF could be exploited to execute code embedded in the PDF. Stevens also demonstrated that the pop-up dialogue box normally accompanying such a launch action could be partially manipulated to give users a false sense of security.
However, Conway who says he was inspired by Stevens' work said the vulnerability could be used to infect other PDF files with the same problem.
"There is more that can be done with this hack that may not be apparent at first glance," Conway wrote in a blog post. "My code could easily be adapted or modified to infect every single PDF file on a user's computer or accessible to the user via network mapped drives without changing the physical appearance of these newly infected PDF files."
He added: "This means PDF files that have been stored on the user's computer for years and are trusted could now house any sort of badness and/or evil I chose to update them with."
Adobe, the maker of the most popular PDF reader software, Adobe Reader, responded that the warning message accompanying the pop-up dialogue strongly advised users to only open and execute files from a trusted source, and that it took the security of its products and technologies very seriously.
Get the ITPro. daily newsletter
Receive our latest news, industry updates, featured resources and more. Sign up today to receive our FREE report on AI cyber crime & security - newly updated for 2024.
Rival reader software maker Foxit has already issued an update to its reader software to partially address the issue.
Previously, the Foxit software didn't request any confirmation at all before launching a program from within a PDF, but an update issued on 1 April added this safeguard effectively bringing it inline with Adobe Reader.
However, given that the vulnerability exploits a weakness in the PDF specification itself, and with Conway having shown the possibility of it spreading to trusted files on a user's PC, this does little to provide lasting protection from attack.
Both Adobe and Foxit have confirmed they are working on a more permanent solution.
Last month, security firm F-Secure revealed that Adobe Reader had overtaken Microsoft Word as the number one target for targeted attacks, with nearly half of all attacks in 2009 having being directed at Adobe's PDF-reading software.