PDF Document Exploit Prompts Fears of Worm-Like Malware Attack

Jeremy Conway, a security researcher with NitroSecurity, is claiming to have found a way to spread malicious code via PDF (Portable Document Format) documents.

The secret is in the way PDF file format works. More specifically, a certain flaw exists in the PDF file format that adds malicious data to legitimate files. This means that anyone who opens compromised PDF files instantly becomes a victim of a worm-like attack.

Attack Launched Without User Consent

Conway spent a great deal of time developing a technique with which to inject malicious commands into PDFs. Until now, his attacks only seemed to function when there was some other kind of malicious program already installed on the targeted system that added the code.

After seemingly endless attempts, however, Conway finally managed to alter a PDF document entirely inside the PDF file itself.

Apparently, hackers have always known that PDF readers could be manipulated. The new method of attack, nevertheless, shows how one reader (Foxit Reader) could launch the executable without even notifying the user. (Source: idg.no)

PDF Standard Must Be Changed

The good news is that Foxit Reader has since patched the bug. The bad news is that the underlying flaw in the PDF standard cannot be fixed without changing the PDF standard itself.

If a user is duped into allowing the executable to run, an attack similar to the controlled virus launched by Conway acts like a worm, copying a malicious payload to other PDF files on the computer. This malware is known as a PDF attack. Worse yet, many fear that this new form of malware could escalate into the next vector for a zero day attack. (Source: computerworld.com)

How to Disable the PDF Attack

There is a way that lets users turn off the Adobe Reader or Acrobat feature so that an attack cannot work.

First, we suggest you download the latest update from within Acrobat or by visiting Adobe's website.

Secondly: once the program is launched, click "Edit -> Preferences -> Categories -> Trust Manager -> PDF File Attachments" and then un-check the box that reads "Allow opening of non-PDF file attachments with external applications."

One of the changes made to the 3.2.1 version of Foxit Reader now includes a pop-up a dialogue box that asks users if they really want to execute the code. Adobe Reader does the same thing.

Foxit can be upgraded by launching the application, then click Help -> Check for Updates.