Thursday, April 8, 2010

PDF security: Broken as designed

Security sure was simpler when I was a wee lad. There was code (computer programs than executed in the CPU), and there was data (static information that was used by the program, but that did nothing by itself). Text files are data - easy to understand right?

Not always. Take PDF, Adobe's Portable Document Format, the most commonly used method to make printable and viewable documents. This is a good example, Installing Ubuntu Linux For Beginners. So riddle me this - is it data, or code?

It looks like we all have to treat it like code, because it could (in theory) download and install arbitrary software, including malware. I don't think that this particular document does, but there's no easy way to tell.

So why, I hear you ask, is there such a huge, gaping, ugly security hole in PDF? Because Adobe put it there on purpose:
Adobe's PDF Reader gets lots of criticism for poor security. However, the problems go beyond one specific PDF reader brand.

Have you ever looked at the specifications for the PDF file format? You can download them from here (PDF). They're 756 pages long. For real.

There's some crazy stuff in the PDF specs.

...

You can embed movies and songs. Into a PDF file. What?

...

PDF files can contain 3D objects, complete with embedded JavaScript? Who comes up with these things?

...

PDFs can have forms. That's fine. But why do we need functionality where such forms can submit the data you input directly to a server somewhere on the net?
It goes on and on. Security FAIL. Fail fail fail fail fail. And now for the punchline: it's wormable, meaning you can use it to build self-replicating malware that spreads from computer to computer:
I have received several email questions and explanation requests regarding my blog post “Are PDFs Worm-Able” and the proof of concept video within the post. Instead of repeating a post I wrote over on my company’s blog I figured I would just link to it from here: Implications of Recent PDF /Launch Hacks. In the linked blog post I describe some of the implications of this style of hack and I also walk through a scenario in which a variation of my proof of concept is utilized to infect all PDFs found on a users system. I don’t think my proof of concept was as clear as I would have liked it to be. Within the proof of concept I infected a single benign PDF file from another PDF file, but this proof of concept could easily be modified to recursively traverse a users computer directories to find and infect all PDF files on that users computer and/or accessible to that user at the time of execution with any payload of my choosing.
Great. Adobe is considering changing the spec, which will do precisely nothing, because there are a Billion computers all attached to the Internet who are just fine with the current spec. A billion computers, broken as designed.

{Sigh}

I tend not to post on security topics where it doesn't effect you or where there's nothing you can do to protect yourself. This is an exception to the rule. It doesn't help to tell you "be careful about software you download" - you're not downloading software.

It may not be possible to patch holes like this. Everyone's sick of me saying it, but your best bet is to run MacIntosh or even better, Ubuntu. People writing exploit code will probably target Windows, and so while it's not a panacea, you have fewer people gunning for you.

More here, in a post from the Pleistocene Age of this blog, when I'd only been posting a couple of months.

4 comments:

NotClauswitz said...

I remember when Adobe OWNED the print-world - and fonts could cost as much as $800 for something particularly designer-ly. And Windows mainly substituted the wrong font when going to print so you had to have all the RIGHT ones on another Zip-drive - and to short-cut that we converted them all to curves in Adobe Illustrator, boosting file size but preserving graphic integrity.
And making it real hard for Management to make last-second text changes.
They wanted PDF's to be everything to everybody - but Java stole that.

Anonymous said...

Isn't PDF an extension or improved version of PostScript?

PostScript is turing complete so it would make sense if PDF followed.

I have to admit sending a PS job to a printer to calculate PI is kinda fun.

So this is like saying Java or C# code can mess up your system....

Anonymous said...

PDF, boo. At very least get Foxit for the sake of diversity.

Jim

DaveH said...

I second the use of Foxit

Very lean code (less than three meg) and fast.

http://www.foxitsoftware.com/

They have a nice and cheap PDF creator ($30) that installs as a printer. Print to the software and pick a filename. After writing, it opens the file in the reader so you can check your results.

Beats paying $$$ to Adobe for bloatware.