Monday, April 12, 2010

More on PDF vulnerabilities

I wanted to draw attention to this article.

It's worth noting even with the precautions of disabling javascript and disabling the execution of non-PDF file attachments, there is a (theoretical) risk that a malicious PDF could alter other PDFs using the incremental update feature. This is a growing area of interest for many security researchers, and whats more, it is only on the increase.

I agree with the original article's lamentation - why can't Adobe just stick to producing simple bloody documents?!? They used to do this so well. I swear to god - their offices must be lined with developers and architects just smoking crack and talking about what awesome features they'd like to embed in their products without any regard for other design or functional considerations! (ok, sorry for the vitriol - I'll get off my soapbox now).

I know there's a lot of love for Adobe and their work, and I've seen a lot of praise from the security industry pundits for their swift response to these issues. My question is - why are we having to deal with this in the first place? But seriously, why not just keep PDFs as a simple document, open format and as for all this other featureware bloat just be bundled into the commercial version of the application? Why is javascript even required?

I know that the incremental update feature is inherent to the PDF standard - so I can cut some slack that this as a geniune mistake. But when I look at the javascript feature (still on by default as of version 9 if I recall)   and I just think "they still don't get it". Maybe I'm just channelling Schneier a bit too much ("You're doing it wrong!")While Adobe have done what they can at this point, we're talking about fundamental issues not just with their software but with the standard. Regrettably, this is a problem that is not going to go away any time soon.

Checking out the talks from CanSecWest this year I dearly wish I had the time to start doing some serious fuzzing with Adobe Acrobat Reader and playing around with the PDF format . I think this is an exciting space to be getting your hands dirty in.

- J.

1 comment:

@cloudjunky said...

Yeh it's a scary direction they are taking. Go back to 2000 and you were advising people to PDF all documents in email. PDF was seen as the 'safe' alternative to Office docs.

Maybe they could do something similar to Preview in Mac OSX. Open, Page, Zoom, Close. ;)