Thursday, April 1, 2010

New Method Could Hide Malware In PDFs, No Further Exploits Needed
"A security researcher has managed to create a proof-of-concept PDF file that executes an embedded executable without exploiting any other security vulnerabilities. The PDF hack, when combined with clever social engineering techniques, could potentially allow code execution attacks if a user simply opens a rigged PDF file. With Adobe Reader, the only thing preventing execution is a warning. Disabling JavaScript will not prevent this."
In Foxit Reader there isn't even a warning.  I tested it and it did run a command prompt in Foxit.  The author notes he hasn't yet gotten arbitrary code to run in Foxit, but thinks that the only thing stopping him is minor differences in how Foxit works.  He got it working shortly afterThis is the test PDF if you wish to test your reader.

Foxit Reader isn't opensource, which has bothered me a for a while.  Also in the last few years it seems to have become more and more bloated.  Closed source programs, particularly ones that perform a simple task, seem to inevitably bloat as the authors attempt to justify the "premium" or "pro" version.  Also, I've noticed there are always a couple Foxit processes running when I look at the task manager.  They are probably left over from reading documents in Firefox and them not closing properly.  This exploit was the final straw that made me search for an open source PDF viewer.

There aren't many options for open source PDF viewing with precompiled Windows binaries.  What I settled on was Evince.  It's pretty spartan as far as features go, but it has all the stuff that matters when reading PDFs: search, two page layout (not sure if it can change the starting page to properly align certain books), copy, and zoom.  Plus it is much smaller and quicker to launch than Foxit Reader.  It is immune to this attack as well.

Edit: After a bit more searching I found Sumatra PDF Viewer.   It is open source and developed directly for Windows.  I think I prefer it to Evince.  Mainly because it lets you click to grab the page and scroll like that.  Otherwise it is similar feature wise to Evince.  It is also immune to this attack.

No comments:

Post a Comment