return of the son of the attack of the killer PDFs

In the good old days (last week), you could feel somewhat safe opening PDF files as long as you had downloaded the latest Adobe Reader security fixes.  Now it turns out that the hackers could have saved themselves a bunch of time and effort – it seems that a design flaw in the pdf file format can be used to embed and execute code in documents even if the reader is a good Internet citizen and has patched their system.


The user does have to cooperate a little bit… When the code is about to execute, a dialog box will appear and the user will have to click OK.  Not to worry, nefarious malware authors, in addition to users’ propensities to click OK when asked, you can customize the dialog box to make it seem innocuous – “Click here to accept the license agreement, or “Click here to decrypt this document” are two ideas that come to mind.

If you are a super security savvy user who decided to abandon Adobe Reader in favor of the alternative Foxit Reader, you are in worse shape, smart guy.  Versions of  Foxit Reader prior to do not provide the dialog box warning – they just executes the embedded code.  Foxit has issued an update and I suggest that you install it toot sweet…

I have not yet seen any information as to whether the Preview PDF reader which ships with the Mac will also execute code embedded in PDF files… I will update this post when I have further information…  UPDATE (2010-04-07 – sources tell me that the attack does not work on files opened on Macs using Preview or Adobe Reader, but I have not verified this myself)

So… if you receive a PDF file which asks for a click on a dialog box when you open it, don’t click.  Legitimate PDFs seldom require the user to take any further action to open them.

The whole Foxit issue got me thinking about the use of non supported software in corporate environments.  I would guess that most organizations assume that Adobe Reader is installed and used on their computers.  I would also guess that most corporate IT and info sec types are not aware of the existence or use in their organizations of alternative PDF readers like Foxit.  For this reason, networks and information are put at additional risk, since any warnings and patches pushed out to the user community would not protect Foxit users.  There are a few possible reactions to this problem:

  • Don’t allow users to install non approved software and enforce the policy with technical means.  


  • Install software on your network which inventories new apps installed by users and provides you with an alert.  In this case, you’ll have to follow up on these alerts and keep track of who has what oddball programs installed as well as keep an eye open for applicable security updates.  More work for info sec, but, hey that’s why we get the big bucks.


  • Cross your fingers, rub your lucky rabbit foot and hang a horseshoe above your servers.  Otherwise known as sticking your fingers in your ears and singing “la la la.”


If you can get away with number 1, more power to you (wearing my Dick Cheney hat here) from a security overlord point of view, but when wearing your business hat, it may turn out that the ability to install new apps helps more than it harms.  That is why I am a fan of door number 2… work with your users rather than driving their bad security practices underground.  Remember… Great CSOs enable AND protect the business.

Leave a Reply