Saturday, 3 April 2010

PDF Caveat

I have commented for a a long time that people should not use DOC (or, more recently docx) format for mail attachments, in part because DOC format is a major vector for malware. This is still true. It has been drawn to my attention, though, that the same is also true of PDF attachments.

Over the years, Adobe has been expanding the pdf specification to add features that users want, like the ability to add dynamic content. This means running javascript or executing external programs from inside the document. These features can be maliciously misused.

Only full-featured PDF readers, like Acrobat Reader and Foxit, both popular on the Windows platform, are vulnerable. You can switch javascript off (recommended) but the "launch application" code will still work. In acrobat you get a warning dialog asking permission to execute the program. When you see one of these, do not execute; instead, contact the person who sent the pdf and ask them for an explanation.

They don't all warn you. Some security firms are advising to open pdfs in google-docs. This will help a bit, since the pdf opens on google's computers and google sends you the results for your browser to display. Until someone figures out how to get the executed code to run in your browser (or use it to attack google.)

Narrow featured readers, like xpdf (gnu/linux platform) are not affected because they do not implement these features. Bear in mind that all software has bugs, and free software is no exception. You do need to keep your applications up to date.

So what of email attachments? It is very seldom that you need to send the information in an attachment at all. Put it in the main body of the email as plain text and send it as a plain text message. Nobody ever got a virus off ascii.

No comments:

Post a Comment