PDF: Pretty Dangerous File
The PDF (Portable Document Format) certainly achieved worldwide popularity since its creation back in 1993. Contrary to a standard text file, it handles and preserves fonts, tables, images and looks the same for everybody. Also, to view the file does not require to buy any special program (unlike Microsoft Office). Compression is also pretty good which makes it the number one format to exchange documents on the Internet.
A PDF file in itself should be benign, it’s a document not an executable. That could explain why a lot of people may not realize the risk when opening a PDF attachment. However, the rich functionalities that PDF files support allow a user to craft a document containing dangerous code.
The most common and used technique is inserting Javascript code in the document so that it can cause a heap spray. For those non technical readers, think of it as a method to fill up the memory with shellcode, the program will become unresponsive and finally allow the attacker to execute their payload.
A less often used technique is to exploit a flaw in the PDF language itself which is possible but requires a lot more work and knowledge from the attacker’s point of view.
A PDF file can actually do more than just display a document. In fact, opening a PDF can be similar to running your typical .EXE file.
Now the other thing that a lot of people don’t quite fully grasp is the fact that PDF files can open themselves without your actually clicking on them. For convenience’s sake, when you install the most popular PDF program (Adobe Acrobat Reader), it gets integrated into your browser. Have you ever browsed a site and opened a PDF directly into Internet Explorer? OK, you could argue that you still clicked on a link to launch the PDF. Now what if I told you that you could just be browsing your regular site and out-of-the-blue the PDF document just popped up on your screen?
Malware authors write malicious code and inject it into benign websites. This code triggers your PDF software to open up a file without your consent. A specially crafted PDF file can now run with maximum privileges and compromise your PC.
We can summarize the process like this:
- Browser -> PDF Software -> Malware
I observe this method of infection also known as drive-by download on a regular basis. I’d say that PDF exploits are now one of the most common attack vector there is, with a high probability of getting through several layers of defense, including User Account Control, Browser security and AV software.
When it comes to PDF security, it seems everybody is way behind. I regularly upload malicious PDFs to the online virus checker VirusTotal and very few AV products actually detect them. And what about Adobe in all of that? For a long time the company was more reactive than proactive, releasing security patches for their PDF software long after exploits were publicly known. With all the heat and attention (and also maybe the fear that people might start switching to a different PDF viewer) Adobe is dedicated to being security conscious and providing updates seamlessly.
All this sounds reassuring but unfortunately it is not a panacea. O day exploits (a known flaw for which there is no patch yet) in Adobe Reader expose millions of people to malware. It seems like too much of a price to pay for an otherwise very handy program.
Personally, I have removed the Adobe Reader software from my computer altogether. Now I don’t advise that because it is annoying not being able to open so many documents directly from your browser. However, I have a standalone program that I run when I want to open a PDF file. It’s a rather all or nothing approach, kind of like abstinence… you’re not going to get anyone pregnant 
However, if you still want to be able to view your files easily, there are many tips you can use to reduce the surface of attack:
- use an alternate lesser known PDF software viewer (not the best piece of advice… it sounds like the “don’t use Internet Explorer, use Firefox” motto that resulted in an increase in Firefox exploits)
- disable Javascript within Adobe Reader. Since Javascript is the easiest and most common way to create malicious documents, by disabling it you render the code useless. You may lose a few features but not that many.
- if possible, use a guest account in Windows that you will use to browse the net, check your emails etc… A guest account has limited privileges, so in the event of an attack, the malware will not have sufficient credentials to get through to your system.
- if you are a little technical, read about Didier Stevens (The Man when it comes to PDF security) and how to make your software more secure.
- lastly, even if it’s not a guarantee, keep Adobe Reader updated. At least, you will be protected against all the known exploits (and there are many!).
On a general security point of view, I think there should be digital certificates added to PDF files. For example, whenever you download an invoice or health form that was provided by a legitimate government or organisation, then the document could bear a green checkmark or something like this. All other PDFs created by unknown individuals would have a “not verified” stamp that would prompt users before they actually open them. Wouldn’t be 100% fullproof but it would make the user more aware and prevent unverified PDFs from directly running.
Jerome Segura
-
by
-
by
-
by
-
by
-
by
Comments:
|
|
