As previously documented the PDF format is full of fun items, like the /Launch action, that allows the execution an arbitrary binary to be executed. Within two weeks of Didier Steven’s article about his PoC a number of researchers (myself included) and malware authors have been getting in on the act. The current news is that the Zeus botnet is being used to push a malicious PDF that attempts to abuse /Launch actions.
I would like to clear the air a bit. There seems to be a bit of confusion out there regarding what Didier Stevens actually discovered in his research (and what we developed a proof of concept for). The /Launch /Action “vulnerability” has been known for a while. It was discussed as early as 2008 at BlackHat Europe (page 12). So the concept of a launch action that runs an executable has been well known. There are two critical “innovations” to understand the new threat. The first is controlling the contents of the dialog box and social engineering the user. The second is using a non standard method of embedding an executable that is not a part of the PDF spec. These are two separate issues, that combined, can allow this new breed of PDF documents to transparently slip through antivirus gateways and trick users more easily. Things get a little more out of control when it turns out Foxit reader launched programs silently without alerting the user, which was an undiscovered vulnerability. However, the idea itself has been in the spec for some time and has been discussed in the security community.
Both comments and trackbacks are currently closed.