Hot on HuffPost Tech:

See More Stories
AOL Tech

New Attack Turns PDF Feature Into Liability

New Attack Turns PDF Feature Into Liability
The PDF file, along with its dubious companion Adobe Reader, is known for being one of the weak points in a computer's security. Holes allowing hackers and malware to weasel their ways into a computer are regularly discovered in PDF files and programs. But a new way of highjacking the Adobe and Foxit readers requires no exploiting of holes or bugs; instead, it actually turns an asset of the PDF format into a liability.

These readers' incremental update features allow the execution of programs from within a document. While a user does have to agree to let a program run, hackers can manipulate the dialog box (asking the user for permission) to look legitimate. This could then be used to add malicious code to any and all PDFs on a computer.

The ability of hackers to turn this feature against the user was discovered by Didier Stevens. A week later, Jeremy Conway, a product manager at NitroSecurity, developed a proof of concept attack based on it. Adobe responded to the initial news of Stevens's discovery with some non-specific boiler-plate babble about taking "the security of [its] products and technologies very seriously." Foxit offered more concrete action, telling CNET that it had developed a "fix" in the wake of Conway's proof of concept, and that it would be made public within 72 hours.

CNET also spoke with Conway, who offered some advice to the makers of PDF-reading software. Since most users don't take advantage of the incremental update feature, perhaps the companies could offer "minimalist" viewers that lack this advanced yet exploitable feature. [From: CNET]

Tags: adobe, Adobe Reader, AdobeReader, Foxit, malware, pdf, security, top

Comments

13