PDFs are not just pure documents. For example if they have a signable field it’s using macros that are stored as Javascript code.
This code can be malicious. So your Adobe Reader will run this script if you allow it to and this script can then do harm.
By default you will get a warning if you want to run this code, but plenty of people will just click accept.
Lots of people are talking about Postscript/VB scripts embedded in PDFs and Word documents. That’s one important aspect of it, but not the whole picture. Sometimes even opening an image file (.jpg), displaying just a piece of text, or loading a save file for a game can be dangerous. These are real cases:
– JPG vulnerabilities: [https://umbrella.cisco.com/blog/picture-perfect-how-jpg-exif-data-hides-malware](https://umbrella.cisco.com/blog/picture-perfect-how-jpg-exif-data-hides-malware)
– Text display vulnerabilities: [https://arstechnica.com/information-technology/2015/05/beware-of-the-text-message-that-crashes-iphones/](https://arstechnica.com/information-technology/2015/05/beware-of-the-text-message-that-crashes-iphones/)
– Save game vulnerabilities: [https://wololo.net/2016/05/01/3ds-vhax-released-new-3ds-userland-exploit-for-game-vvvvvv/](https://wololo.net/2016/05/01/3ds-vhax-released-new-3ds-userland-exploit-for-game-vvvvvv/)
These have to do with the fact that the programs used to load those files can have bugs, and files can be specially crafted to exploit such bugs to trigger unexpected behavior, including getting the program or OS to run arbitrary code.
Doc and Pdf files happen to be complicated enough that programs which can open them tend to have a very high number of bugs, so it’s fairly easy to find an exploitable one. But the truth is, nothing is 100% safe no matter how innocent it might feel. This is why security hygiene is the most important. Never trust any files you get from questionable sources.
To see how an exploit might work, imagine a simplified program that looks like:
1: Load the file into slots 3-10.
2: Go to line 11 and continue executing the program from there.
3: (empty slot to hold file content)
…
10: (empty slot to hold file content)
11: Convert data from slots 3-10 into pixels and display the picture
This assumes the file can only fill 8 slots (#3 through #10). But what if the file is bigger than that, and the program is not careful about limiting its size when loading it? Then after filling up slot 10, it’ll continue writing over slot 11, 12, and so on. The program doesn’t realize this. And when it eventually goes to execute line 11, it’ll be executing arbitrary stuff that was loaded from the file instead of the intended program. This is a classic “buffer overrun” vulnerability. A virus author can make a file such that instructions to encrypt your disk land in slot 11. If you try to open this file, your disk will get encrypted.
Lots of people are talking about Postscript/VB scripts embedded in PDFs and Word documents. That’s one important aspect of it, but not the whole picture. Sometimes even opening an image file (.jpg), displaying just a piece of text, or loading a save file for a game can be dangerous. These are real cases:
– JPG vulnerabilities: [https://umbrella.cisco.com/blog/picture-perfect-how-jpg-exif-data-hides-malware](https://umbrella.cisco.com/blog/picture-perfect-how-jpg-exif-data-hides-malware)
– Text display vulnerabilities: [https://arstechnica.com/information-technology/2015/05/beware-of-the-text-message-that-crashes-iphones/](https://arstechnica.com/information-technology/2015/05/beware-of-the-text-message-that-crashes-iphones/)
– Save game vulnerabilities: [https://wololo.net/2016/05/01/3ds-vhax-released-new-3ds-userland-exploit-for-game-vvvvvv/](https://wololo.net/2016/05/01/3ds-vhax-released-new-3ds-userland-exploit-for-game-vvvvvv/)
These have to do with the fact that the programs used to load those files can have bugs, and files can be specially crafted to exploit such bugs to trigger unexpected behavior, including getting the program or OS to run arbitrary code.
Doc and Pdf files happen to be complicated enough that programs which can open them tend to have a very high number of bugs, so it’s fairly easy to find an exploitable one. But the truth is, nothing is 100% safe no matter how innocent it might feel. This is why security hygiene is the most important. Never trust any files you get from questionable sources.
To see how an exploit might work, imagine a simplified program that looks like:
1: Load the file into slots 3-10.
2: Go to line 11 and continue executing the program from there.
3: (empty slot to hold file content)
…
10: (empty slot to hold file content)
11: Convert data from slots 3-10 into pixels and display the picture
This assumes the file can only fill 8 slots (#3 through #10). But what if the file is bigger than that, and the program is not careful about limiting its size when loading it? Then after filling up slot 10, it’ll continue writing over slot 11, 12, and so on. The program doesn’t realize this. And when it eventually goes to execute line 11, it’ll be executing arbitrary stuff that was loaded from the file instead of the intended program. This is a classic “buffer overrun” vulnerability. A virus author can make a file such that instructions to encrypt your disk land in slot 11. If you try to open this file, your disk will get encrypted.
There are many ways.
1st is say a pdf file that isn’t actually a pdf file and the user clicks on it and it is actually some kind of executable.
2nd is using PDf functionality. Generally people think of PDF as just a static document. But it can contain JavaScript, or other stuff that can be used to attack a user. Eg an innocuous link in a pdf may point to some web based malware. Or some malicious JavaScript can be executed.
3rd is actually targeting vulnerabilities in the PDF renderer (the program you use to view the PDF). The PDF specification is very complex and if there is a bug in the program for example in the way it displays certain image formats, a specially crafted PDF can be used to try and trigger that bug and execute malicious software.
Of course, because of the ubiquitous nature of PDFs the vulnerabilities will depend on many factors – the browser you use, the program you use to view the PDF, you security settings, your OS etc.
Lots of people are talking about Postscript/VB scripts embedded in PDFs and Word documents. That’s one important aspect of it, but not the whole picture. Sometimes even opening an image file (.jpg), displaying just a piece of text, or loading a save file for a game can be dangerous. These are real cases:
– JPG vulnerabilities: [https://umbrella.cisco.com/blog/picture-perfect-how-jpg-exif-data-hides-malware](https://umbrella.cisco.com/blog/picture-perfect-how-jpg-exif-data-hides-malware)
– Text display vulnerabilities: [https://arstechnica.com/information-technology/2015/05/beware-of-the-text-message-that-crashes-iphones/](https://arstechnica.com/information-technology/2015/05/beware-of-the-text-message-that-crashes-iphones/)
– Save game vulnerabilities: [https://wololo.net/2016/05/01/3ds-vhax-released-new-3ds-userland-exploit-for-game-vvvvvv/](https://wololo.net/2016/05/01/3ds-vhax-released-new-3ds-userland-exploit-for-game-vvvvvv/)
These have to do with the fact that the programs used to load those files can have bugs, and files can be specially crafted to exploit such bugs to trigger unexpected behavior, including getting the program or OS to run arbitrary code.
Doc and Pdf files happen to be complicated enough that programs which can open them tend to have a very high number of bugs, so it’s fairly easy to find an exploitable one. But the truth is, nothing is 100% safe no matter how innocent it might feel. This is why security hygiene is the most important. Never trust any files you get from questionable sources.
To see how an exploit might work, imagine a simplified program that looks like:
1: Load the file into slots 3-10.
2: Go to line 11 and continue executing the program from there.
3: (empty slot to hold file content)
…
10: (empty slot to hold file content)
11: Convert data from slots 3-10 into pixels and display the picture
This assumes the file can only fill 8 slots (#3 through #10). But what if the file is bigger than that, and the program is not careful about limiting its size when loading it? Then after filling up slot 10, it’ll continue writing over slot 11, 12, and so on. The program doesn’t realize this. And when it eventually goes to execute line 11, it’ll be executing arbitrary stuff that was loaded from the file instead of the intended program. This is a classic “buffer overrun” vulnerability. A virus author can make a file such that instructions to encrypt your disk land in slot 11. If you try to open this file, your disk will get encrypted.
There are many ways.
1st is say a pdf file that isn’t actually a pdf file and the user clicks on it and it is actually some kind of executable.
2nd is using PDf functionality. Generally people think of PDF as just a static document. But it can contain JavaScript, or other stuff that can be used to attack a user. Eg an innocuous link in a pdf may point to some web based malware. Or some malicious JavaScript can be executed.
3rd is actually targeting vulnerabilities in the PDF renderer (the program you use to view the PDF). The PDF specification is very complex and if there is a bug in the program for example in the way it displays certain image formats, a specially crafted PDF can be used to try and trigger that bug and execute malicious software.
Of course, because of the ubiquitous nature of PDFs the vulnerabilities will depend on many factors – the browser you use, the program you use to view the PDF, you security settings, your OS etc.
There are many ways.
1st is say a pdf file that isn’t actually a pdf file and the user clicks on it and it is actually some kind of executable.
2nd is using PDf functionality. Generally people think of PDF as just a static document. But it can contain JavaScript, or other stuff that can be used to attack a user. Eg an innocuous link in a pdf may point to some web based malware. Or some malicious JavaScript can be executed.
3rd is actually targeting vulnerabilities in the PDF renderer (the program you use to view the PDF). The PDF specification is very complex and if there is a bug in the program for example in the way it displays certain image formats, a specially crafted PDF can be used to try and trigger that bug and execute malicious software.
Of course, because of the ubiquitous nature of PDFs the vulnerabilities will depend on many factors – the browser you use, the program you use to view the PDF, you security settings, your OS etc.
Latest Answers