Jeremy Conway, product manager at NitroSecurity (no relation to Nitro PDF Software) has taken the weakness in PDF readers that Didier Stevens of Belgium discovered last week, and extended it to created a PDF worm that can freely wriggle its way around from PDF to PDF.
Conway’s proof of concept does by by showing two files: 1) an “empty.pdf” file, and 2) an evil “ownit.pdf” which contains the malware. When he opens the “ownit.pdf” file, he then clicks “Open” on the displayed dialog, after which the original “empty.pdf” file now also contain the malware.
You can see the Conway’s video here
Note: two things; according to Stevens and Conway, this does weakness is based around the PDF specification itself not the Adobe Reader; the attack itself requires the user to click through a dialog — as such, a form of ‘social engineering’ would be required by the attacker, i.e. the message displayed to the user would have to make clicking ‘open’ a reasonable thing to do — certainly something like ‘would you like a worm?’ — wouldn’t be such a note…
An Adobe spokeswoman replied Monday night to both Stevens and Conway’s posts with: “Users can also turn off this functionality in the Adobe Reader and Adobe Acrobat Preferences by selecting > Edit > Preferences > Categories > Trust Manager > PDF File Attachments and clearing the box ‘Allow opening of non-PDF file attachments with external applications.’”
At the moment, the Foxit Reader does not display any such dialog to the user although the Foxit team say that they are working on this process.
Source of Information [http://news.cnet.com/8301-27080_3-20001792-245.html]
Post from: 4x PDF Blog
Watch out for the wriggling PDF worm!
No related posts.