September 2009 saw some key security analysis raining directly onto the Adobe PDF platform, particularly with SANS pointing towards remote code execution within PDFs as one of the top threat vectors:
Kudos to Adobe for patching these security holes. What happens when flawed functionality of Acrobat PDF file format leaves the door wide open…?
In plain language, if you click on the PDF you launch both the PDF and an embedded executable script or program. Like anything else, this is bad and good depending on intent. This programming potential has been around for a long time so let me be clear: on the bad side we’re talking about social engineering a functionality to do something the PDF is not supposed to do: get a user to click and launch external code.
Additionally, unconfirmed research by Jeremy Conway displays the potential for a PDF worm making the vector rapidly scalable across anyone’s network. Jeremy sums up the threat:
Speaking of embedding PDF executables, that’s a somewhat sophisticated step in itself. I’m not saying it can’t be done, in fact Didier has a method detailed here, but my resources relay that it’s somewhat tricky.
Although this issue affects a large percentage of the PDF-using public, according to Gregg Keizer’s article for ComputerWorld, the Adobe response can be interpreted to brush off the threat as someone else’s problem:
Foxit however has posted a security bulletin detailing their timeline in responding with an updated version of their browser – particularly helpful since launching with Foxit previously would not bring up any user prompt intercepting the code execution.
In the past few years I’ve done some not-so-gentle research into Adobe’s Corporate Authenticity. I share frustrations with the researcher and with Gregg Keizer’s interview regarding the ability Adobe has in answering about specifics. I did quite a bit of blogging about issues in transparency which Adobe had a few years back with another product, which now may or may not have been corrected.
My own personal struggles with corporate authenticity at Adobe were unfulfilled as well. I have done significant research into the SEC filings of Adobe and happen to have some solid stock price predictions as past analysis.
I can sympathize with the researcher creating a proof of concept before attempting to contact Adobe because Adobe’s history in proactively fixing PDF vulnerabilities is anything but exemplary:
For serious researchers, I highly recommend checking out the author’s site comments where, as you can see from this screenshot, the latest posts have already become ‘viral’:
Patches are due out April 13th for the Adobe Acrobat Reader. It remains to be seen whether this /launch /action trickery will be addressed within the Reader itself or left alone as Adobe has previously stated.
Contributing Writer, Securing Our eCity
Author ESET Research, ESET