New PDF Security Exploit Emerges

A new vulnerability has emerged in Adobe’s Portable Document Format (PDF) and, so far, only Adobe and a white hat hacker know about it. But give the bad guys time.

PDF was the target of another exploit in January, which was quickly fixed. It then emerged earlier this summer as the new method for delivering spam because spam filters have become so efficient at blocking other forms.

PDF-based spam died off in a matter of months because it was too inefficient a means of delivery and the spam filter vendors were able to develop effective means to spot it.

Now, Petko D. Petkov, a.k.a. pdp, is the leader of Gnucitizen, a security Web site and security consultant in the U.K. has found a new JavaScript-based exploit in PDF that would allow malicious JavaScript code to execute on a user’s client simply from opening an infected PDF file.

Petkov won’t publish proof of concept code because the exploit is so dangerous, PDF is so ubiquitous and “it may take a while for Adobe to fix their closed source product,” he wrote on a Gnucitizen posting.

Paul Henry, vice president of technology evangelism for Secure Computing, said even without sample code, it’s still enough to send the bad guys off sniffing through the PDF format to find the holes. “Just the fact it has been found makes me think it will become available eventually,” he told InternetNews.com.

Henry said the exploit is particularly insidious because it can embed JavaScript in the file, so an anti-virus scanner may not see it. “In this Web 2.0 world, it’s important to scan everything coming over the wire, including scripts with malicious intent,” he said.

Adobe has said that it is aware of the problem. “Adobe and Petkov have been in communication,” the company said in a statement to InternetNews.com. “Adobe is currently researching the potential issue. Once this process is complete, Adobe plans to share further information on the topic via the company’s Adobe Security Bulletins and Advisories page.”

For now, both Adobe and Secure Computing offer the same advice: Never open a PDF from an unknown source and if you get it from a known source but weren’t expecting it, double check with that person.