Adobe PDF format riddled with exploitable features
Posted on 03 January 2011.
Adobe's PDF format and standard has been known for a while now to be easily exploitable and, thus, rather insecure. In the past, attackers have taken advantage not only of its vulnerabilities, but of its features as well. And as Adobe has recently announced a sandbox for Adobe Reader, some experts wonder if it's enough.

As Julia Wolf, a researcher with security company FireEye, pointed out at the 27th Chaos Communication Congress in Berlin - the current PDF standard is riddled with functions that can be misused in various ways.

According to her, a PDF file can have a database scanner embedded in it which is rigged to start scanning as soon as the file is printed on a network printer. It can also be made to display completely different content depending on the OS, browser, PDF reader software or language settings used on the computer.

What's more, some of its functions can be used to set off arbitrary code execution. The fact that the standard supports many insecure formats (XML), technologies (RFID tags) and script languages (JavaScript) only adds to its weak security.

According to The H Security she also mentioned that, interestingly enough, Adobe calls the the PDF format a "container format". And, indeed, it can contain many things - from audio and video to Flash files, which can, in their turn, be exploited by the attackers.

But, one of the biggest problems regarding the exploitation of this feature is that most anti-malware solutions fail to detect this embedded malicious software, and the detection rate is poorer still if the malicious code is compressed.

All in all, the sandboxing feature will be a welcome addition to the new version of Adobe Reader. Whether it will solve the problems she described, it remains to be seen.






Spotlight

Lessons learned developing Lynis, an open source security auditing tool

Posted on 15 October 2014.  |  Lynis unearths vulnerabilities, configuration errors, and provides tips for system hardening. It is written in shell script, installation is not required and can be performed with a privileged or non-privileged account.


Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.
  



Daily digest

Receive a daily digest of the latest security news.
  

DON'T
MISS

Fri, Oct 17th
    COPYRIGHT 1998-2014 BY HELP NET SECURITY.   // READ OUR PRIVACY POLICY // ABOUT US // ADVERTISE //