rmsat_private (Richard M. Smith) wrote: > This is an interesting development. Zulu, a virus writer from South > America, appears to have discovered that Adobe PDF files can be used to > carry computer viruses. ... This should not be that surprising -- the recent joint (?) announcement by NAI/McAfee and Adobe that the former was researching the ability to scan PDF files should have raised a few people's suspicions... It turns out that Adobe has decided that PDF files should not jsut be "document files" (i.e. "data") but should be able to support embedding of other types of file objects. I believe the mechanism Adobe chose to support this is OLE, thus turning PDF files into something loosely akin to Windows Shell Scrap (SHS) files. > ... The attached description gives the details. > His little trick uses a PDF file to bypass the new security feature of > Outlook which automatically deletes dangerous file attachments. With > this security feature, all VBScript attachments are deleted because they > might be computer viruses. However with Zulu's trick, a malicious > VBScript file can instead be hidden inside a PDF file which Outlook > considers safe. And more than that. NOt oonly does the current rev of the Outlook Security Update consider PDF files "safe" but most users will too, as historically PDF files have been "pure document files". It is interesting that Adobe has apaprently not learnt anything from the history of such developments -- the least it could have done were it a security sensitive developer with the faintest glimmer of understanding of the history of such things would have been to make the reader software require different formats for (potentially dangerous) "documents" (those that contain embedded objects) and the pure ("old") PDF format. This way content management is made much easier and intelligent users would simply block the "new" format so as to not ahve to worry about the increased risk associated with it. And, of course, therein the reason Adobe would not do this -- why add a threat-increasing option to your product if you then make it entirely optional whether the threat could be leveraged?? It is an interesting reflection on the thinking of Adobe that it approached antivirus developers to have them add handling of their new file formats rather than attempt to ameliorate the threat escalation they were deliberately, and clearly (from that very action) knowingly, introoducing with this change... > I don't believe that the anti security research and reverse engineering > provisions of the DCMA apply here, but given Adobe's recent action > against Dmitry Sklyarov, I recommend a bit of caution by anyone looking > into this potential security problem in Adobe Acrobat Reader. A > conversation with a lawyer might be prudent. I seem to recall seeing some documentation about the object embedding mechanisms on Adobe's web site. Is it reverse engineering to take that publicly posted information and experiemnt with applying it?? > Another interesting question is if Adobe formatted eBooks can also act > as computer virus carriers. It is not so important that eBooks can or cannot carry computer viruses. What matters is whether or not the "reader" software (or whatever else "handles" such files) can be made to "extract" and "run" such embeded objects and how readily it does this. For example, according to the virus writer's own notes, the "trick" he uses depends on the carrier PDF being opened in the full PDF authoring version of the Acrobat software and will not work under the standard Acrobat reader. Some early reports I've had from elsewhere suggest this is correct, so this particular attack vector seems unlikely to open a major threat. -- Nick FitzGerald Computer Virus Consulting Ltd. Ph/FAX: +64 3 3529854
This archive was generated by hypermail 2b30 : Tue Aug 07 2001 - 13:46:49 PDT