![[LWN Logo]](/images/lcorner.png) |
|
![[LWN.net]](/images/Included.png) |
From: "Nick FitzGerald" <nick@virus-l.demon.co.uk>
To: bugtraq@securityfocus.com
Subject: Re: Adobe PDF files can be used as virus carriers
Date: Wed, 8 Aug 2001 07:45:52 +1200
Cc: rms@privacyfoundation.org (Richard M. Smith)
rms@privacyfoundation.org (Richard M. Smith) wrote:
> This is an interesting development. Zulu, a virus writer from South
> America, appears to have discovered that Adobe PDF files can be used to
> carry computer viruses. ...
This should not be that surprising -- the recent joint
(?) announcement by NAI/McAfee and Adobe that the former was
researching the ability to scan PDF files should have raised a few
people's suspicions... It turns out that Adobe has decided that PDF
files should not jsut be "document files" (i.e. "data") but should be
able to support embedding of other types of file objects. I
believe the mechanism Adobe chose to support this is OLE, thus
turning PDF files into something loosely akin to Windows Shell Scrap
(SHS) files.
> ... The attached description gives the details.
> His little trick uses a PDF file to bypass the new security feature of
> Outlook which automatically deletes dangerous file attachments. With
> this security feature, all VBScript attachments are deleted because they
> might be computer viruses. However with Zulu's trick, a malicious
> VBScript file can instead be hidden inside a PDF file which Outlook
> considers safe.
And more than that. NOt oonly does the current rev of the Outlook
Security Update consider PDF files "safe" but most users will too, as
historically PDF files have been "pure document files". It is
interesting that Adobe has apaprently not learnt anything from the
history of such developments -- the least it could have done were it
a security sensitive developer with the faintest glimmer of
understanding of the history of such things would have been to make
the reader software require different formats for (potentially
dangerous) "documents" (those that contain embedded objects) and the
pure ("old") PDF format. This way content management is made much
easier and intelligent users would simply block the "new" format so
as to not ahve to worry about the increased risk associated with it.
And, of course, therein the reason Adobe would not do this -- why
add a threat-increasing option to your product if you then make it
entirely optional whether the threat could be leveraged?? It is an
interesting reflection on the thinking of Adobe that it approached
antivirus developers to have them add handling of their new file
formats rather than attempt to ameliorate the threat escalation they
were deliberately, and clearly (from that very action) knowingly,
introoducing with this change...
> I don't believe that the anti security research and reverse engineering
> provisions of the DCMA apply here, but given Adobe's recent action
> against Dmitry Sklyarov, I recommend a bit of caution by anyone looking
> into this potential security problem in Adobe Acrobat Reader. A
> conversation with a lawyer might be prudent.
I seem to recall seeing some documentation about the object embedding
mechanisms on Adobe's web site. Is it reverse engineering to take
that publicly posted information and experiemnt with applying it??
> Another interesting question is if Adobe formatted eBooks can also act
> as computer virus carriers.
It is not so important that eBooks can or cannot carry computer
viruses. What matters is whether or not the "reader" software (or
whatever else "handles" such files) can be made to "extract" and
"run" such embeded objects and how readily it does this.
For example, according to the virus writer's own notes, the "trick"
he uses depends on the carrier PDF being opened in the full PDF
authoring version of the Acrobat software and will not work under the
standard Acrobat reader. Some early reports I've had from elsewhere
suggest this is correct, so this particular attack vector seems
unlikely to open a major threat.
--
Nick FitzGerald
Computer Virus Consulting Ltd.
Ph/FAX: +64 3 3529854