An analysis of a PDF exploit

Most people think of PDF documents as static pieces of information. How could a PDF file compromise your computer? The reality is that PDF documents can contain all sorts of stuff, and clever miscreants have figured out how to exploit that stuff to wreak havoc on your computer. PDF exploits are on the rise, and they’re especially nasty not just because most people don’t realize this is a viable attack vector, but because the symptoms simply look like a PDF file won’t open: click, Adobe Acrobat fires up, then randomly closes some seconds later. “Huh, bad file” is what most people will think, and move on with their lives, completely unaware that the computer is infected.

Here’s a really good analysis of a malicious PDF. The PDF document structure has obfuscated Javascript code embedded in it. After a delay of 10 seconds, the Javascript makes a request to an Internet site to download an executable file, and *boom* your computer is compromised. Your anti-virus software may catch the roguefile, but it might not. The Internet: this is a dangerous place.

I’ve seen exactly one malicious PDF file in the wild. It hit one of the students I support, and we got really lucky in catching the infection before it could spread to other hosts on our network: the malware payload was not recognized by our antivirus software, so we might never have known except that the student reported problems opening this PDF. It was a fascinating thing to diagnose, because it’s so far outside the realm of what we normally see.

It’s a tired old refrain: update all of the software on your Windows computer. Everyone is tired of hearing it, because frankly it’s too much work. Too many applications update in different ways, and on different schedules: Windows Update, Mozilla’s built-in updater, Adobe’s Update Manager, Java, etc etc. The reality is, though, that it is quite important to do, despite the effort. Microsoft could likely make a lot of users very happy if they were to implement a solid unified update solution, like that used in OSX and most Linux distributions.

One option, at least with respect to PDF files, may be to use something other than Adobe Acrobat. I don’t know if things like Foxit or CutePDF are similarly vulnerable. Can anyone weigh in on the comments about that?