Can PDF's do bad things? [Archive] - Glock Talk

PDA

View Full Version : Can PDF's do bad things?


Hines57
07-02-2007, 16:50
I got 2 e-mails in a row from people I don't know with no explanation. Can anything bad be sent by pdf?

pesticidal
07-02-2007, 16:55
Originally posted by Hines57
I got 2 e-mails in a row from people I don't know with no explanation. Can anything bad be sent by pdf?

I dunno, but I think I got the same ones. I preview all mail with Mailwasher, and deleted them.

Hines57
07-02-2007, 18:04
I get a fair amount of unknown e-mail for work so I don't want to delete it if I don't have to, but I have never heard if pdf's can contain any kind of bad stuff.

They were labeled as

paid-ELHJGGPAIXOHHS.pdf attached from @mail.twu.edu

Alert.pdf from @pocketmail.com

sjfrellc
07-02-2007, 20:49
In my mindspring/earthlink mail box, a lot of suspect email showed up today with PDF attachments. Delete as spam. Somethings up.

Blitzer
07-03-2007, 07:34
YES!

http://news.zdnet.co.uk/security/0,1000000189,39285342,00.htm

PDF threat worse than first thought

* Tags:
* Acrobat,
* Security,
* PDF

Joris Evers CNET News.com

Published: 05 Jan 2007 08:24 GMT

* Email
* Trackback
* Clip Link
* Print friendly

A recently discovered security weakness in the widely used Acrobat Reader software could put net users at more risk than previously thought, experts warned on Thursday.

Initially, security professionals thought that the problem was restricted and exposed only web-related data or could support phishing scams. Now it has been discovered that miscreants could exploit the problem to access all information on a victim's hard disk drive, said web security specialists at WhiteHat Security and SPI Dynamics.

Key to increased access is where hostile links point. When the issue was first discovered, experts warned of links with malicious JavaScript to PDF files hosted on websites. While risky, this actually limits the attacker's access to a PC. It has now been discovered that those limits can be removed by directing a malicious link to a PDF file on a victim's PC.

"This means any JavaScript can access the user's local machine," Billy Hoffman, lead engineer at SPI Dynamics, said in an emailed statement. "Depending on the browser, this means the JavaScript can read the user's files, delete them, execute programs, send the contents to the attacker, etc. This is much worse than an attack in the remote zone."

By contrast, a link to a PDF hosted on a website with malicious JavaScript code would run on the user's machine with limited access, or the "remote zone", Hoffman said. For example, script code in a link to a PDF on "bank.com" would be able to communicate with bank.com and access its cookies, he said. Such a standard cross-site-scripting attack could allow account hijacks, for example.

The security problem exists because the web browser plug-in of the Adobe Systems' Acrobat Reader allows JavaScript code appended to links to PDF files to run once the link is clicked, said Jeremiah Grossman, chief technology officer at WhiteHat Security.

For an attack to work, a malicious link has to point to an existing PDF file on the web or on the target system. PDFs are abundant on the net and finding one on a local system isn't hard; a sample PDF file comes with Acrobat Reader and is installed in a predictable location on PCs, Grossman said.

The security problem was first disclosed at the Chaos Computer Club conference in Germany over the holidays in a paper by Stafano Di Paola and Giorgio Fedon. The extended scope of the issue was publicised late on Wednesday by a hacker using the moniker "RSnake".

Adobe is aware of the claims that an attack could have broader implications, but had not verified the issue, a company representative said in an emailed statement on Thursday.

"Based upon info we have, Flash Player, Reader and modern browsers should restrict such an exploit, but we haven't completed our evaluation of all possible scenarios," the representative said.

To mitigate the threat, users can upgrade to Adobe Reader 8, the latest version of the Adobe software released last month. Adobe is also working on updates to previous versions that will resolve this issue, the company has said.

pesticidal
07-03-2007, 09:57
I got another one this morning. The IP address is from Korea. Got deleted.

neeko
07-03-2007, 16:13
adobe acrobat/reader are known attack vectors for crackers. so yes a pdf that opens in adobe can be malicious.

NetNinja
07-03-2007, 19:57
There is a freaking plethora full of those freaking emails getting into my server. Driving me crazy!
Most of them comming from egreetings of course spoofed.