Sunday, September 23, 2007

More comments on the PDF vulnerability

Matasano has some comments on the recent PDF vulnerability:

"Modern PDF Readers do crazy things. Like embed remote web pages. That means they talk to the internet. That means more network attack surface!"
From the overview (page 33) of Adobe's PDF Reference Manual:
"In addition to describing the static appearance of pages, a PDF document can contain interactive elements that are possible only in an electronic representation. PDF supports annotations of many kinds for such things as text notes, hypertext links, markup, file attachments, sounds, and movies. A document can define its own user interface; keyboard and mouse input can trigger actions that are specified by PDF objects. The document can contain interactive form fields to be filled in by the user, and can export the values of these fields to or import them from other applications." [italics are mine]
The spec sounds almost like a general purpose Operating System, not a document data format. And since the data and the code are not well separated, Dave at Matasano is right:
"These conditions create the perfect storm for the modern attacker. This is going to get worse not better."
I'm afraid there will be more holes found in PDFs, perhaps even to the point of businesses questioning the viability to remove PDF support from their systems.

No comments: