Researcher Raises Alarm Over PDFs

A researcher has discovered new vulnerabilities in PDF files that could lay a Windows user's entire hard drive bare for inspection and remote manipulation.

In a new blog posted yesterday, researcher Petko Petkov said he has discovered PDF vulnerabilities that are so dangerous that he will not post a proof of concept until they have been addressed by Adobe, the maker of the PDF technology.

"You have to take my word for it," Petkov says. "The POCs will be released when an update is available."

In the blog's discussion thread, Petkov does include a video that shows how malware buried in a PDF file can enable an attacker to gain access to user data.

"This means that an attacker could gain access to anything on your C: drive -- executable files, your documents, anything," says Paul Henry, vice president of technology evangelism at Secure Computing. "They could make copies of your documents and send them to others. And it requires no other input than the end user clicking on the PDF link."

The new vulnerabilities are actually a follow-on to PDF flaws that were discovered back in January and demonstrated by RSnake of Ha.ckers.org. (See When Your PDF Reader Turns on You.)

Although there was an uptick in PDF spam and pump-and-dump scams shortly after that vulnerability was released, the full potential of the flaws was not realized, Henry says.

"What [Petkov] has done now is develop a more powerful methodology for embedding Javascript in a PDF file," Henry says. "The potential is enormous. It wouldn't surprise me if PDF becomes the next favorite vehicle of choice for delivering malware, especially because it's so readily accepted and trusted by users."

IT and security pros should advise users to be wary of PDF files they receive from unknown users or on public Websites, Henry says. "Even if you know the sender, but weren't expecting a PDF from them, you should check on it."

Enterprises should also consider implementing one of the anti-malware scanning tools that are emerging on the market, Henry advises. "Signature-based tools aren't going to cut it with this sort of threat out there."

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.