back to article PDF security hole opens can of worms

The security perils of PDF files have been further highlighted by new research illustrating how a manipulated file might be used to infect other PDF files on a system. Jeremy Conway, an application security researcher at NitroSecurity, said the attack scenario he has discovered shows PDFs are "wormable". Computer viruses are …


This topic is closed for new posts.
  1. Anonymous Coward

    Can anyone tell us

    if this defective design affects Linux/Unix/BSDs too ?

    1. Flocke Kroes Silver badge

      Looks like virus support has not been completed for Linux

      Xpdf's change log does not mention javascript, and one of the design goals is to keep it simple. There is a good chance that Xpdf will remain safe for years/decades. The Gnome and KDE pdf viewers used to use Xpdf's backend library, so old versions of KPDF and GPDF are safe. New versions are switching / have switched to Poppler - a derivative of Xpdf. Poppler got javascript support late in 2009. It looks like animation support is in progress but not yet complete. (I am not sure how to print out an animation ;-).

      For full virus support you may have to wait for the gnu pdf library and the viewer (Juggler) that uses it. When complete, Gnu PDF should be able to run portable malware, but so far many malware authors have not made the effort to write portable viruses. Perhaps one day, the open source community will be able to experience the full range of malware available to Windows users, but today, that is still a far off dream. Has anyone got any Microsoft malware that runs properly in WINE?

      If you are looking for a new pdf reader, take your pick:

    2. Chemist

      Re : Can anyone tell us

      Don't use Acrobat. Xpdf and variants work fine- I use Okular. That didn't seem to be vulnerable to Didier's test files.

    3. This post has been deleted by its author

  2. FathomsDown

    XPS for me then!

    Well, I for one will be saving my documents in XPS format for extra safety.... no-one will be able to open them!

  3. Remy Redert

    re: Can anyone tell us

    Yes and no.

    Yes, the PDF specification still requires these things to be present.

    No, most malicious PDFs will be loaded with malware designed to attack Windows, not *nix machines. Additionally, even if one did aim for *nix machine, who uses an admin account on a *nix machine to open PDF files anyways? The damage will be far more limited.

    1. Anonymous Coward
      Anonymous Coward

      re: Can anyone tell us

      Free software doesn't usually implement the entire specification. If the spec requires something stupid the implementer usually just ignores that bit of it. They're trying to make a useful program, not gain certification. Xpdf is probably safer than Adobe's Acrobat software.

      It doesn't matter whether you use an "admin" account if the alternative is using the same account that you do everything else with. If your main user account is compromised then so is all the data you care about and if the attacker needed root they could get it by replacing the su or sudo command, for example. However, if the attacker just wants to send spam they can do that from any account. To put it another way: who uses a special "nobody" account to open PDF files? Only a few very careful people, I would guess.

      1. Chemist

        Re : "by replacing the su or sudo"

        "if the attacker needed root they could get it by replacing the su or sudo command, for example"


        su and sudo may be world executable but they are only writable by root so they can't be replaced.

        1. alain williams Silver badge

          Re : "by replacing the su or sudo"

          "su and sudo may be world executable but they are only writable by root so they can't be replaced."

          What he means is for the malware to execute the command ''sudo something evil'', ie use ''sudo'' in the executed command not ''su''. This may work because sudo can be configured to remember that someone authenticated recently and so not ask for a password.

          1. Chemist

            Re : "by replacing the su or sudo"

            sudo only has a very limited set of commands allowed on my system ( not Ubuntu), and none of them are security critical

        2. James Loughner

          Sure you can

          You don't replace the su command you just put a su named script in the path.

          1. Chemist

            Re : Sure you can

            Oh, is that what you mean ?

            I'm paranoid - I only run dangerous commands like su with the full path


  4. AndrueC Silver badge
    Thumb Down

    Oh bother.

    Good old PDF. Everyone's favourite way to publish documentation online.

  5. John F***ing Stepp

    You wouldn't use PDF to kill a dog.

    You wouldn't use PDF to steal a purse.

    You wouldn't use PDF to infect a system.

    So don't steal music and movies.

    Hey RIAA, I am on your side with this one.

    I wouldn't use PDF to do Jack Shit.

  6. yossarianuk

    re: Can anyone tell us

    As long as you are not using the official Adobe reader it looks like you will be safe in Linux.

    You would have to be a complete moron to be running the official Adobe reader in the first place seeing as there are far better alternatives (I find the default reader in kde4 and gnome so much quicker and less memory hungry than the official reader ...)

  7. Basic

    O-Day attack

    It's like a 0-day attack but O so much worse :)

  8. Pan_Handle

    Something you can do


    Update April 6 9:15 a.m. PDT: An Adobe spokeswoman replied Monday night with the same statement above and this: "Users can also turn off this functionality in the Adobe Reader and Adobe Acrobat Preferences by selecting > Edit > Preferences > Categories > Trust Manager > PDF File Attachments and clearing the box 'Allow opening of non-PDF file attachments with external applications.'"

    1. Anonymous Coward
      Anonymous Coward

      Registry Key

      That's HKCU\software\Adobe\Acrobat Reader\9.0\Originals\bAllowOpenFile

      Set the value to REG_DWORD 0x0 to turn off this functionality.

  9. irrelevant
    IT Angle

    So, what's the alternatve

    for publishing simple scans with a text layet? Because I was not happy with PDF readers' bloat already...

  10. A Non e-mouse Silver badge

    What ?!?!

    Embedded executable binaries are valid content in PDFs ? Who thought *that* was a good idea ?

  11. Anonymous Coward


    Adobe software is flawed (and/or contains bugs)?

    Oh noes! No-one could possibly have predicted that Adobe software might have bugs

  12. Tom 35
    Thumb Down

    Usless bloat

    If adobe didn't stuff the PDF file format with embedded crap like video we would not have this crap. But then no one would need to spend $150 on an upgrade every year if they didn't keep putting more and more crap into the format (I'm still using V6, nothing in v9 I want).

    PDF should just be an electronic version of what you would put on a piece of paper. It should not be an interactive, multimedia, dog and pony show. If I wanted to do that I'd email my invoice to customers in Flash format :P

    1. Paul RND*1000

      Amen to that

      Somewhere back in the mists of time, PDF was simple. Acrobat Reader was simple and small. They did exactly what was necessary to provide a portable document ideally suited to on-screen viewing, printing out and *nothing* *more*.

      Then, as usual with these things, the software company responsible had to go ruin it with needless "convenience" features and fancy stuff nobody really needs (Javascript? Embedded executables? How is it a portable document if it's got an OS-specific EXE buried in there anyway? WTF??), and in the process left it full of security holes, not to mention turning a simple document reader program into a full-fledged example of bloat gone wild (a 38MB download for version 9? Really? Their heads have come undone if they think that's acceptable).

      You would *think* that someone would have figured this out after the raft of viruses targeted at Word and Excel files, but apparently not.

  13. asdf

    el reg has template

    Do you just cut and paste from the last PDF vulnerability article (usually less than two weeks ago) or do you have a template set up specifically for PDF and flash flaws. Adobe has the worst software security wise and it really is a huge economic sink hole that few realize. I suppose outsourcing everything to India a while back didn't work so well as shown by held together by duct tape, gum and chicken wire software. You get what you pay for unless you actually buy anything from Adobe in which case you got screwed.

  14. Bounty

    Seems like Just another trojan

    You open a PDF and a bunch of stuff you care about is screwed up, I'm not sure how this makes it a worm? I understood that worms spread w/o human interaction, say by exploiting a vunerability in a network service etc. This seems like trojan activity unless I'm missing something.

  15. Tom 35


    If you open an infected PDF, it can infect other PDF files that might be on a network share or that you might send to someone.

This topic is closed for new posts.

Other stories you might like