PDF documents as vectors of malware.

Topic

New Reply

Recently there has been information posted in Woody’s on Faxes being hacked to the detriment of those receiving them in their computers. PDF files are much more commonly used, now days, for the transmission and processing of documents, including digitally signed contract and widely used to deal with tax return forms.

PDF files have embedded executable code, so they could be also, conceivably, potential vectors of malicious software. Assuming such is the case, and since I do not have access first-hand to sources of information on issues of IT security, I am curious to know if anyone here has knowledge of any problems involving PDF files, PDF readers, and related issues.

Thank you.

Ex-Windows user (Win. 98, XP, 7); since mid-2017 using also macOS. Presently on Monterey 12.15 & sometimes running also Linux (Mint).

MacBook Pro circa mid-2015, 15" display, with 16GB 1600 GHz DDR3 RAM, 1 TB SSD, a Haswell architecture Intel CPU with 4 Cores and 8 Threads model i7-4870HQ @ 2.50GHz.
Intel Iris Pro GPU with Built-in Bus, VRAM 1.5 GB, Display 2880 x 1800 Retina, 24-Bit color.
macOS Monterey; browsers: Waterfox "Current", Vivaldi and (now and then) Chrome; security apps. Intego AV

2 users thanked author for this post.

HiFlyer, Elly

Reply | Quote

Replies

That information on Faxes security problems can be found here:

https://www.askwoody.com/forums/topic/hackers-can-steal-data-from-the-enterprise-using-only-a-fax-number/#post-211576

Ex-Windows user (Win. 98, XP, 7); since mid-2017 using also macOS. Presently on Monterey 12.15 & sometimes running also Linux (Mint).

MacBook Pro circa mid-2015, 15" display, with 16GB 1600 GHz DDR3 RAM, 1 TB SSD, a Haswell architecture Intel CPU with 4 Cores and 8 Threads model i7-4870HQ @ 2.50GHz.
Intel Iris Pro GPU with Built-in Bus, VRAM 1.5 GB, Display 2880 x 1800 Retina, 24-Bit color.
macOS Monterey; browsers: Waterfox "Current", Vivaldi and (now and then) Chrome; security apps. Intego AV

Reply | Quote

The issue of .pdf malware vulnerabilities has been raised many times in the Code Red – Security Advisories forum, including specific topics such as:

Locky is Back – Using Infected .pdf Email Attachments
PDF Files Can Be Abused to Steal Windows Credentials
Anatomy of an eMail Scam Attempt

4 users thanked author for this post.

jburk07, Elly, OscarCP, satrow

Reply | Quote

Oscar,

All documents can contain malware in the form of code that exploits a buffer overflow even if the document format doesn’t support executable code. If I try to simplify, a buffer overflow is an exploitation of a vulnerability in a specific software by putting code somewhere in the data of the file read instead of respecting the format required and then ending up with code being loaded and executed by the software as if it was his own code.

Suppose I ask for your name and instead of 60 characters max. you send much more and it overflows in other parts of memory where it is not supposed to go because my program didn’t check that you can’t send more. Now if in that long data I input I put code and it goes somewhere in memory where it will be executed at some point, replacing other executable code. You get the idea? That is why if there was a vulnerability in Windows Photo Viewer, you could infect someone with a picture containing hidden code at some specific place in the picture file and it could work even if a picture is not an executable file by itself. The code would get read by photo viewer then executed like its own code at some point.

To protect yourself, remember that you exploit a specific vulnerability in a program for this to work. So, patch your software to get rid of known and fixed vulnerabilities.  Then, in the case of pdf, maybe use a lesser known software to read pdf, like sumatra reader that is less likely to be targeted that the bloated and common Reader that regularly have high profile vulnerabilities exposed. Or do like me and open your pdf with a very limited interpreter of pdf that I think converts it in another format first: Firefox. And only if you can’t see the pdf clearly in the limited in features reader of Firefox and you really trust the pdf, then you use a more complete solution that supports more advanced features in the pdf. You can also tune your software to be more secure by disabling javascript in Reader and enabling other security settings for when you really need Reader.

I hope it clears things up a bit for you.

1 user thanked author for this post.

OscarCP

Reply | Quote

Thanks, AlexEiffel. I do, in fact use Sumatra since Reader went “to the Cloud”. I still use the old version of Acrobat to fill in the writable PDF forms of my Federal, State and Local Tax Returns. Other than that, I create PDF files by converting Office files with the “Print” command and choosing “Adobe PDF” as the printer. I do have CutePDF, but have not used it much, so far.

One question: I believe that javascript is widely invoked by many software applications to do their jobs, so wouldn’t  disabling it create problems?

Ex-Windows user (Win. 98, XP, 7); since mid-2017 using also macOS. Presently on Monterey 12.15 & sometimes running also Linux (Mint).

MacBook Pro circa mid-2015, 15" display, with 16GB 1600 GHz DDR3 RAM, 1 TB SSD, a Haswell architecture Intel CPU with 4 Cores and 8 Threads model i7-4870HQ @ 2.50GHz.
Intel Iris Pro GPU with Built-in Bus, VRAM 1.5 GB, Display 2880 x 1800 Retina, 24-Bit color.
macOS Monterey; browsers: Waterfox "Current", Vivaldi and (now and then) Chrome; security apps. Intego AV

Reply | Quote

You can disable javascript in Acrobat Reader preferences and it won’t be disabled in your browser where it is used extensively or in any other software. Some documents might not work well, but most to read only document should. I don’t remember having issues with disabling javascript in Reader. If you only use Reader to fill important form from trusted sources and it is not the default reader of pdf in your browser and OS, you might want to leave javascript enabled in Reader if you don’t want to activate it manually when needed. Or you could disable it and only enable it when something doesn’t work when you use Reader. I turn it off but the most important thing is not to have Reader your default pdf reader in browser and in the OS.

2 users thanked author for this post.

jburk07, OscarCP

Reply | Quote

FYI, the release version of Sumatra PDF hasn’t been patched since a vulnerability in the OpenJPEG codec (included/embedded in Sumatra) was patched 09/28/2016.

Pre-release versions exist which contain the patched codecs or you can build your own.

Don’t trust it just because it’s written by someone other than Adobe.

2 users thanked author for this post.

AlexEiffel, Geo

Reply | Quote

Sure, you are absolutely right, and thanks for the information. I rely on Firefox first as I trust that Firefox patches for security and its pdf viewer might offer a more limited attack surface. I keep Sumatra for documents from trusted sources that don’t open right in Firefox.

It’s bad that Sumatra hasn’t been updated. I tried Foxit in the past, but it kept asking for admin rights to start, maybe for having the ability to install updates. This didn’t inspire me trust that security was taken seriously there.

Reply | Quote

AlexEiffel wrote:

Suppose I ask for your name and instead of 60 characters max. you send much more and it overflows in other parts of memory where it is not supposed to go because my program didn’t check that you can’t send more. Now if in that long data I input I put code and it goes somewhere in memory where it will be executed at some point, replacing other executable code.

That is a good example of how an exploit can be done. But who is actually responsible for this vulnerability?

The programmer who wrote the program should have included some code that read only the first 60 characters of input, and ignored anything beyond that, or that didn’t allow input of anything longer than 60 characters. Instead, the programmer simply assumed that the person wouldn’t input anything which was longer than 60 characters. The programmer is the one responsible here.

If programmers would write better, more robust code, we would see a lot fewer of these exploits.

Group "L" (Linux Mint)
with Windows 10 running in a remote session on my file server

2 users thanked author for this post.

AlexEiffel, Elly

Reply | Quote

Writing unsafe software can have negative effects running from mild annoyance to catastrophic outcomes. Activities like this are usually subject to detailed and strict regulations meant to ensure a correspondingly wide range of good outcomes, from fitness for purpose to keeping the public safe from dire harm.

But it is not clear to me how such regulations could actually be crafted in this case for them to be anything more than shows of good intentions from those in government. Writing software is a decentralized operation carried out by vast numbers of people of varying sense of responsibility and level of competence that both code and share bits and pieces of their work and also cannibalize and cut and past from other software, theirs and of others, into their own.

So my guess would be that hackers, black hats, and assorted crooks will have their playing field open to them for as long as there are computers used by fallible mortals, even until the final sunset on the final shore. And white hats, security analysts, Web sites such as Woody’s, born’s, gehacks’, etc. will continue to probe, discover, warn, advise, reveal and rise the alarm for just as long.

Not all that surprising, as it is a well known and amply verified fact that we all need to have a measure of good luck to still be alive by the end of business day. So we’ll just have to continue taking our chances, as people have had to do from the beginning of time. Only more so now. O tempora o mores.

Ex-Windows user (Win. 98, XP, 7); since mid-2017 using also macOS. Presently on Monterey 12.15 & sometimes running also Linux (Mint).

MacBook Pro circa mid-2015, 15" display, with 16GB 1600 GHz DDR3 RAM, 1 TB SSD, a Haswell architecture Intel CPU with 4 Cores and 8 Threads model i7-4870HQ @ 2.50GHz.
Intel Iris Pro GPU with Built-in Bus, VRAM 1.5 GB, Display 2880 x 1800 Retina, 24-Bit color.
macOS Monterey; browsers: Waterfox "Current", Vivaldi and (now and then) Chrome; security apps. Intego AV

Reply | Quote

It can be a tricky balance to find between writing readable code, safe code and fast code.

It is a completely different philosophy than what Windows promote. No bloat, no fast development, no mingling of all different parts of code… more like FreeBSD, which don’t attract many users unless you count MacOS users as some kind of FreeBSD users.

At some point, just like the phones did to Windows, safer OSes out of the box could have an impact on Windows if the situation degrades too much.

1 user thanked author for this post.

OscarCP

Reply | Quote

You never heard of practicing safe computing?

The biggest malware prevention tool is you…

On permanent hiatus {with backup and coffee}
offline▸ Win10Pro 2004.19041.572 x64 i3-3220 RAM8GB HDD Firefox83.0b3 WindowsDefender
offline▸ Acer TravelMate P215-52 RAM8GB Win11Pro 22H2.22621.1265 x64 i5-10210U SSD Firefox106.0 MicrosoftDefender
online▸ Win11Pro 22H2.22621.1992 x64 i5-9400 RAM16GB HDD Firefox116.0b3 MicrosoftDefender

Reply | Quote

Safe computing is something that sometimes is possible only after the fact. For example: first there has to be an infestation with the XXX bug being released into the wild, the infestation has to be discovered, understood, and so forth, then someone has to figure out what to do about it… It takes time, and, in the meantime, one is just as exposed as if the bug had not been discovered yet. So that is the point of my conclusion: as with everything else, we all have to take our chances with software, or else curl up and die. Being careful, of course, improves those chances, but never rises them to 100%. And even the wisest sometimes make dumb mistakes. There are no easy answers of ironclad guarantees. That’s all.

Ex-Windows user (Win. 98, XP, 7); since mid-2017 using also macOS. Presently on Monterey 12.15 & sometimes running also Linux (Mint).

MacBook Pro circa mid-2015, 15" display, with 16GB 1600 GHz DDR3 RAM, 1 TB SSD, a Haswell architecture Intel CPU with 4 Cores and 8 Threads model i7-4870HQ @ 2.50GHz.
Intel Iris Pro GPU with Built-in Bus, VRAM 1.5 GB, Display 2880 x 1800 Retina, 24-Bit color.
macOS Monterey; browsers: Waterfox "Current", Vivaldi and (now and then) Chrome; security apps. Intego AV

1 user thanked author for this post.

AlexEiffel

Reply | Quote

geekdom wrote:

The biggest malware prevention tool is you…

… and the biggest cybersecurity risk/vector too!

2 users thanked author for this post.

Elly, OscarCP

Reply | Quote