[Infowarrior] - Is it time to consider PDF a threat?

Richard Forno rforno at infowarrior.org
Tue Feb 12 23:44:26 UTC 2008


Is it time to consider PDF a threat?

By Joel Hruska | Published: February 12, 2008 - 02:05PM CT

http://arstechnica.com/news.ars/post/20080212-is-it-time-to-consider-pdf-a-t
hreat.html

Adobe released patches for its Reader and Acrobat programs last Wednesday,
but there's reason to suspect that the company has closed the barn door long
after the cattle fled. According to a blog entry at the SANS Internet Storm
Center, this particular vulnerability has been exploited in the wild for
several weeks. In this case, hackers use malicious banner ads as a host for
an infected PDF. The PDF then installs the Zonebac Trojan, which sets to
work deactivating antivirus products, modifying search results, and changing
banner ads.

Adobe's 8.12 update supposedly plugs the loopholes that the Zonebac delivery
system exploited, but the company has declined to give any information on
what, exactly, the update changed. The lack of information is disappointing
(though not surprising), but Adobe's failure to address the issue in a
timely manner raises questions about the firm's commitment to security. An
18-day gap between the appearance of a verified exploit and the release of a
patch isn't exactly impressive, and this particular issue had been on
Adobe's radar for months. iDefense Labs first reported the existence of this
particular buffer overflow vulnerability in early October 2007.

The attack has raised some questions regarding the security of the PDF
standard‹Symantec researcher Hon Lau discusses the relevant PDF
vulnerability in his blog before rhetorically asking: "With more and more of
these attacks happening, how much longer will it be before people implicitly
attach a higher risk association to PDF files and avoid them altogether?"

To answer his question, some of us already do. While there's not a whole lot
of evidence suggesting that the PDF standard is under concerted attack,
there mere existence of these exploits affects perception of them, and Adobe
is doing itself no favors. Granted, we still know far, far more people who
were infected via JPGs, DOCs, and the like, but this isn't Adobe's first
high-profile security issue. Hon Lau covered a different cross-scripting
attack that also exploited a PDF vulnerability back in January 2007.
Ironically, Adobe recommended users update to Reader 8 as one way of solving
the problem. 

Given the file format's popularity and ubiquity, Adobe has a very strong
interest in keeping PDF as secure as possible; if it fails to do so, it
opens the door for competing standards such as Microsoft's XML Paper
Specification (XPS). These recent attacks, in and of themselves, aren't
enough to steer businesses away from a trusted format they may have been
using for decades, but Adobe may need to adjust the way in which it
communicates with customers and the speed with which it delivers its
security patches. PDF files have been traditionally represented as safe for
download or viewing, which makes the need to stay ahead of hackers‹rather
than nearly three weeks behind them‹all the more important.




More information about the Infowarrior mailing list