First published: 07th April 2010
Two security researchers, Jeremy Conway at NitroSecurity and Didier Stevens have demonstrated problems in the PDF specifications. Mr. Stevens has shown it is possible to embed malicious executables in PDFs and manipulate warning pop-up dialog boxes. A victim can therefore be tricked into running the malicious program. Mr. Conway has shown that Mr. Steven's technique can be used to create a PDF that will modify another PDF - potentially with a copy of itself, therefore making it a computer virus.
The problem affects any viewer following the PDF specification, it has been confirmed in both Adobe and FoxIT readers and those developers are working on mitigation. To be fair, the Adobe reader does present a warning that a file is about to be launched, but the text describing the file can be modified by the malicious PDF, allowing the user to be tricked into permitting the action. FoxIT simply launches the file without warning.
The PDF format was first created in 1993 as a portable document format, and has long been regarded as a "better" method of distributing documents because it is not platform-dependant. Other, perceived, advantages included ease of use, prevention of modification and inability to carry macro viruses. Some of these advantages are illusory, most users cannot modify PDF files because they use the free Adobe Reader application, which can only display and print, but not edit the files. The importance of the immunity to macro viruses faded when Microsoft introduced reasonable controls on their Office programming language. Conversely, the PDF file format was updated, eventually becoming the ISO 32000-1:2008 PDF open standard on July 1, 2008. The changes introduced included embedding arbitrary media types (e.g. songs and video), and execution of Javascript and external files, enabling the types of attacks described by Conway and Stevens.