Adobe considers changes to mitigate PDF attack

From X-bit Labs: Adobe Systems is considering modifying its PDF applications to counter a way to run arbitrary code on Windows computers by embedding it in a malicious PDF file.

Last week, security researcher Didier Stevens detailed a way to run executable code using a different launch command even though PDF applications from Adobe and Foxit don't allow embedded executables to directly run. The attack requires some social engineering.

The particular launch command used by Stevens is defined in the PDF specification (ISO PDF 32000-1:2008) under section 12.6.4.5, wrote Steve Gottwals, a group product manager at Adobe.

"This is a good example of powerful functionality relied upon by some users that also carries potential risks when used incorrectly by others," Gottwals wrote.

Adobe's Reader and Acrobat products do display a warning that only trusted executables should be opened, but Stevens showed how it was possible to modify part of the warning message in order to persuade a user to open the file. The company is considering modifications to the programs.

View: Article @ Source Site