On the subject of PDF vulnerabilities

Dave G. | September 23rd, 2007 | Filed Under: Industry Punditry

I suspect this will become a lot more common as critical software applications continue to get a grip on software vulnerabilities. We will see attackers spread out to the most commonly installed software on computers. And PDF is a likely target.

Why? Because:

  1. It is complicated. And by that I mean over 1000 page of specifications.
  2. It involves a crap-ton of parsing. Don’t believe me? Take the above specifications and load it into a text editor. You can just smell the memory coruption. Did I mention it is 31 Megs?
  3. Modern PDF Readers do crazy things. Like embed remote web pages. That means they talk to the internet. That means more network attack surface!
  4. Deployed Everywhere. Most desktops have at least one PDF reader on them. The Mac uses PDF all over the place.

These conditions create the perfect storm for the modern attacker. This is going to get worse not better.

7 Comments so far

  • Ryan Russell

    September 23rd, 2007 2:13 am

    Well, sure. That’s why all the Quicktime vulns, too. Browsers themselves, then the plugins, then the file formats you launch via browsers. So: Java, Flash, Shockwave, Quicktime, PDF, zip..

    I did a Secunia scan survey for Windows Secrets. Top ten vulnerable apps were all browsers, plugins and media players. And Acrobat.

    And of course, tons of people had known vulnerable versions installed.

  • Adam

    September 23rd, 2007 3:00 pm

    I’d also think about scriptability and use of DRM functions, which are often way buggy because getting the crypto right is hard enough that it overloads people.

  • drrr

    September 24th, 2007 12:17 pm

    Why not at least link to the source, instead of press about it?

    http://www.gnucitizen.org/blog/0day-pdf-pwns-windows.

    Some interesting reading in the comments with other potential vectors.

  • bmm6o

    September 24th, 2007 2:34 pm

    What’s interesting about the PDF spec is that even though it is tremendously huge and bloated, the grammar itself is fairly simple. That is, it’s really easy to miss something and get the semantics of a document wrong, but parsing should be straight-forward. I would assume that it’s not a bug in parsing the document per se, but rather a flaw in one of the scads of filters (gzip, flate, CCITT, JPEG) required to decode content (and which are frequently specified separately). Which is not to excuse or minimize the error, but rather to attempt to locate it more precisely.

  • Marcin

    September 24th, 2007 5:45 pm

    And people used to brag, that Emacs was big and bloated enough to be an operating system…

    The feature is brighter - Adobe AIR (used to be known as Apollo) integrates PDF, Flash, HTML, AJAX etc. It seems to be positioned to replace web browsers. Given the amount of problems in web browsers, I can only imagine what fun “issues” will be uncovered in such mashup (with new codebase!).

  • djteller

    September 30th, 2007 6:08 am

    PDF integrate and import so many different features.
    It’s prone to many vulnerabilities, seems like this one will trigger alot of bug hunters.

    Adobe, watch out.

  • Chris Thomas

    October 3rd, 2007 4:30 am

    Use obsolete versions of Acrobat reader? Presumably the exploits are likely to relate to new all-singing all-dancing features of Acrobat 8.

    • Leave a reply