September 1, 2016 , 9:15 am
August 9, 2016 , 12:50 pm
July 21, 2016 , 4:35 pm
The PDF hack, when combined with clever social engineering techniques, could potentially allow code execution attacks if a user simply opens a rigged PDF file.
Here’s the skinny from researcher Didier Stevens.
I use a launch action triggered by the opening of my PoC PDF. With Adobe Reader, the user gets a warning asking for approval to launch the action, but I can (partially) control the message displayed by the dialog. Foxit Reader displays no warning at all, the action gets executed without user interaction.
Although PDF viewers like Adobe Reader and Foxit Reader doesn’t allow embedded executables (like binaries and scripts) to be extracted and executed, Stevens discovered another way to launch a command (/Launch /Action), and ultimately run an executable he embedded using a special technique.
Stevens said Adobe’s PDF Reader will block the file from automatically opening but he warned that an attacker could use social engineering tricks to get users to allow the file to be opened.
With Foxit Reader, there is no warning whatsoever.
Stevens has not released the proof-of-concept file. The issue has been reported to Adobe’s security response team.
Stevens tested his research on Adobe Reader 9.3.1 (Windows XP SP3 and Windows 7).