back to article It's 2022 and there are still malware-laden PDFs in emails exploiting bugs from 2017

HP's cybersecurity folks have uncovered an email campaign that ticks all the boxes: messages with a PDF attached that embeds a Word document that upon opening infects the victim's Windows PC with malware by exploiting a four-year-old code-execution vulnerability in Microsoft Office. Booby-trapping a PDF with a malicious Word …

  1. dharmOS

    PDFs to blame, or Adobe Reader (for unnecessary functionality)?

    Do the inbuilt PDF viewer in Chrome and Edge (or equivalents on MacOS, ChromeOS and iOS) execute JavaScript and thus be vulnerable? Or is this an "Adobe Special", avoided by not using their PDF viewer?

    1. Fazal Majid

      Re: PDFs to blame, or Adobe Reader (for unnecessary functionality)?

      In this case it's not JavaScript in the PDF but PDF's completely unnecessary ability to embed third-party file formats like Office docs, that has the actual malicious payload.

    2. yetanotheraoc Silver badge

      Re: PDFs to blame, or Adobe Reader (for unnecessary functionality)?

      `Or is this an "Adobe Special", avoided by not using their PDF viewer?`

      No, it's not an Adobe-only issue. Firefox, Chrome, etc. will also execute PDF.JavaScript if you let them. You can disable this behavior, but it's probably on by default because most lusers want it.

  2. VoiceOfTruth

    Give us a small PDF reader

    One which doesn't try to do everything under the sun, but just renders onto the screen the PDF. Don't say Foxit, that is bloated these days too.

    1. mark l 2 Silver badge

      Re: Give us a small PDF reader

      I am not sure if its still maintained there was a Windows port of Evince a FOSS PDF reader which is popular on Linux. And Evince according to their website doesn't support all the extra 'features' Adobe added on like embedding other documents or running Javascript in PDFs.

      1. ThatOne Silver badge
        Devil

        Re: Give us a small PDF reader

        > doesn't support all the extra 'features' Adobe added on

        What? It doesn't allow strangers to hack you easily? Yikes! How uncool! A tool for Luddites!

        (Spare exclamation marks: !!!!)

      2. My other car WAS an IAV Stryker
        Thumb Up

        Re: Give us a small PDF reader

        I endorse Evince.

        When I need to do work early or late in the day under less-than-optimal lighting reading PDFs that are just stacks of scanned document images (rarely direct-exported from plain text), Evince lets me view negative imagery to lessen the eye strain. Adobe Bleeder (Reader) will invert the direct-exported text-based pages but not scanned images.

        1. ThatOne Silver badge

          Re: Give us a small PDF reader

          Me too.

          I discovered Evince because it was the default PDF reader on the flavor of Linux I use, and I like it. It does everything it should, and politely refrains from doing all those annoying things it shouldn't.

          Something other PDF readers struggle with. I mean who doesn't want to be able to program a business solution or remote control his smart fridge from his PDF reader. It's cool, bro!

        2. DS999 Silver badge

          Re: Give us a small PDF reader

          Evince isn't just for PDFs, it also handles other stuff like postscript (yikes) and really weird stuff like "comic book archive". They are looking at supporting Office formats. So I'm not sure I'd call it "lightweight", and sounds like it will eventually bloat to do everything under the sun like everything else. Dunno what happened to the Unix ethos of tools to do one job well, rather than including the kitchen sink. systemd is just a symptom of a larger problem, I guess.

          Last time I checked evince doesn't properly support fill-in forms, until it does I've been forced to stick with acroread.

        3. VoiceOfTruth

          Re: Give us a small PDF reader

          I last used Evince years ago, but gave it another spin at your suggestion. On FreeBSD there is a evince-lite package/port which doesn't drag in 4 tons of Gnome stuff, just a half a dozen small dependencies. It's actually not bad at all.

    2. entfe001
      FAIL

      Re: Give us a small PDF reader

      What we really need is a small PDF specification. Name it whatever you want, but something that restores the idea of "paper-on-screen" that many still believe is what PDF is about.

      Heck, I've even encountered PDF files on the wild which are wholly rendered by code to be executed by the reader and have a fallback static "You must use Adobe Reader to see this document" page for those readers who can't or won't.

      If we have bloated PDF readers is only because we allow for PDF files to do all this sort of dirty tricks.

      Edit to add: this does not necessarily mean that dynamic PDF content is bad, it's just that it's something else. Most of current PDF files would even benefit from a format specification that does not allow for dynamically changing its contents. What sense makes, for instance, to allow for dynamic modifications over a final OSHA/HSE report or a judicial ruling?

    3. PSBingo

      Re: Give us a small PDF reader

      We've used Sumatra for years on industrial networks. No install, loads pdfs fast. Doesnt seem to have obnoxious telemetry. Acrobat messes with indusrial software ar times.

  3. My other car WAS an IAV Stryker

    "PDFs can also include clickable links"

    ...but they never work! I'm not sure if it's a company IT restriction, but Adobe Reader never wants to open valid links. Links are much safer than embedded documents (you can see the link target before clicking and put the security onus on the browser), quite possibly the safest of all PDF features, but it just won't work.

    They only reason I like making/sending PDFs is because 1) almost no-one knows how to edit them, whereas sending Office files is asking for loss of document control, and 2) very few folks in the company have Visio -- and even fewer with AutoCAD -- but everyone has Reader.

    1. Anonymous Coward
      Anonymous Coward

      @My other car WAS an IAV Stryker - Re: "PDFs can also include clickable links"

      I'm not comfortable allowing Adobe Reader to do anything else beyond rendering PDF files.

      1. Hubert Cumberdale Silver badge

        Re: @My other car WAS an IAV Stryker - "PDFs can also include clickable links"

        I'm not comfortable allowing Adobe Reader to do anything.

      2. david 12 Silver badge

        Re: @My other car WAS an IAV Stryker - "PDFs can also include clickable links"

        There is no such thing as 'a PDF file'. PDF is a container format. At minimum, it has to contain Postscript, fonts, and zips.

    2. yetanotheraoc Silver badge

      Re: "PDFs can also include clickable links"

      "Adobe Reader never wants to open valid links."

      In a quick test just now, whether Adobe Reader will open a link depends on how I created the PDF. In Firefox, Ctrl+P, choosing "Save to PDF" gives working links, choosing "Microsoft Print to PDF" gives non-working links. YMMV.

  4. Version 1.0 Silver badge

    But the valid links say things like "This is really great possibility to change your job", "Collect your $10,000 gift" etc... these are just this mornings message quarantines, the message was 9cf84296-df20-4dc3-8105-a73fb729c88f.pdf - flagged as URL/Phish.KX.gen!Eldorado

  5. Anonymous Coward
    Anonymous Coward

    Java script and

    the ability to execute other programs (including media players) are the functions I disable and make sure they stay disabled after each update. So far, Adobe was kind enough to allow me to do it.

    Besides that, not using Microsoft Office (I really don't need to pay for features I never use) does help tremendously in defending against these threats.

  6. Roland6 Silver badge

    Our takeaway from this: stay up-to-date with patches...

    What updates and patches?

    According to the article the bugs used by the exploit has been around since 2017 in all Windows (?) versions of MS Office supported back then, so that's 2010, 2013, 2016 plus I assume from this the bugs are still there in 2019, 2021 and 365; complete with the current (May 2022) security fixes.

    >detect and remove these PDFs from incoming messages

    With the level of ofuscation being used, are there some simple rules that can be used to detect these and only these PDFs? Or are we dependent upon spam filters and client AV/security software.

    Hence my interpretation of the "takeaway" is: We have nothing to offer other than platitudes.

    1. yetanotheraoc Silver badge

      Re: Our takeaway from this: stay up-to-date with patches...

      "What updates and patches?"

      The ones in the CVE linked in the article. Patches listed for Office 2007, 2010, 2013, and 2016.

      1. Roland6 Silver badge

        Re: Our takeaway from this: stay up-to-date with patches...

        The linked CVE and fixes are dated November 2017, it is now May 2022. According to the article, these didn't fix the problem, otherwise HP's cybersecurity folks would not have something to shout about...

    2. david 12 Silver badge

      Re: Our takeaway from this: stay up-to-date with patches...

      Actually, Microsoft Equation Editor was dropped from Office years ago, and the 'security updates' for the old versions of Office just disable it.

      Long before that, Office also had the Word equation editor, and eventually MS just told people that the old stand-alone Microsoft Equation Editor was not included in new versions of Office or Windows.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like