1. PDF Security Issues Doing your bit to help Betsy Kent May 2010

2. They’re out there Malicious PDFs comprised 80 percent of all exploits for 2009 Dancho Danchev 2/16/2010

3. MS Word Dethroned Files based on Reader were exploited in almost 49 per cent of the targeted attacks of 2009, compared with about 39 per cent that took aim at Microsoft Word. By comparison, in 2008, Acrobat was targeted in almost 29 per cent of attacks and Word was exploited by almost 35 per cent. Bruce Schneier on Security

4. Why Choose PDF? “… the increasing use of malicious PDFs can also be interpreted as the direct result of the millions of users using outdated and exploitable Adobe products … ScanSafe’s report shows that Adobe Acrobat/Reader exploits grew while the use of Flash exploits declined... “while the use of Flash exploits declined Dancho Danchev

5. 80% using outdated versions Trustseer claims that 83.5% of users are running a vulnerable version of Acrobat. “…Data published by Secunia two months ago, indicates the same trend that cybercriminals have been aware of for a while now, namely, that the average insecure program per PC rate is still high, with 3 insecure programs in the U.S on average, and 4 insecure programs per PC in Europe based on the company’s data. “the average insecure program per PC rate is still high Dancho Danchev

6. No Vulnerability Required! PDF executes embedded executable via a launch action Foxit Reader doesn’t even give a warning Acrobat Reader warning can be edited http://blog.didierstevens.com/2010/03/29/es cape-from-pdf/

7. DEMO http://www.sudosecure.net/archives/636 “In this proof of concept I have one benign PDF document titled “empty.pdf” and another evil PDF document titled “ownit.pdf”. The ownit.pdf file contains my custom code that when opened prompts the user to allow the execution of this code and if the user clicks “ok” this code will inject an incremental update into the empty.pdf file. “

8. It’s out there Didier Steven’s proof of concept has been seen in the wild: no Javascript required “…and embeds the executable as a PDF comment. Within this PDF comment is a simple vbscript that encodes the executable as an ANSI character code array which is latter extracted from the PDF file, converted to binary form, written to the user’s computer as “game.exe” and executed…” http://www.sudosecure.net/archives/681

9. What Can You Do? Talk to your manager or client Adobe’s recommended Workaround http://www.zdnet.com/blog/security/adobe-suggests-workaround-for-pdf-embedded- executable-hack/6028?p=6028&tag=rbxccnbzd1 http://www.zdnet.com/blog/security/adobe-suggests-workaround-for-pdf-embedded- executable-hack/6028?p=6028&tag=rbxccnbzd1 “Users can also turn off this functionality in the Adobe Reader and Adobe Acrobat Preferences by selecting > Edit > Preferences > Categories > Trust Manager > PDF File Attachments and clearing (unchecking) the box “Allow opening of non-PDF file attachments with external applications”

11. Zeus crimeware emails The messages appear to be forwarded from a Director of Information Services who apparently received update instructions directly from an associate at Adobe. The message from the Adobe associate states that the update link is to patch CVE-2010-0193. There are two links in the message which lead to the same IP address hosting a PDF file for instructions and an executable which is meant to be the patch to apply.CVE-2010-0193

12. PDF Specification 1.5 spec Note: Once the document has been opened and decrypted successfully, the viewer application has access to the entire contents of the document. There is nothing inherent in PDF encryption that enforces the document permissions specified in the encryption dictionary. It is up to the implementors of PDF viewer applications to respect the intent of the document creator by restricting user access to an encrypted PDF file according to the permissions contained in the file. Note: PDF 1.5 introduces a new set of access permissions that do not require the document to be encrypted; see Section 8.7.3, “Permissions.”

13. References http://www.zdnet.com/blog/security/report-malicious-pdf-files- comprised-80-percent-of-all-exploits-for- 2009/5473?tag=mantle_skin;content Report: Malicious PDF files comprised 80 percent of all exploits for 2009http://www.zdnet.com/blog/security/report-malicious-pdf-files- comprised-80-percent-of-all-exploits-for- 2009/5473?tag=mantle_skin;content http://www.schneier.com/blog/archives/2010/03/pdf_the_most_co.ht ml PDF the Most Common Malware Vectorhttp://www.schneier.com/blog/archives/2010/03/pdf_the_most_co.ht ml http://www.zdnet.com/blog/security/research-80-of-web-users- running-unpatched-versions-of- flashacrobat/4097?tag=mantle_skin;content Unpatched Acrobathttp://www.zdnet.com/blog/security/research-80-of-web-users- running-unpatched-versions-of- flashacrobat/4097?tag=mantle_skin;content http://www.sudosecure.net/archives/681 Escape from PDF seen in the wildhttp://www.sudosecure.net/archives/681 http://www.zdnet.com/blog/security/the-real-dangers-of- pdf-executable-trickery/6055?p=6055&tag=nl.e539

14. References (continued) http://www.zdnet.com/blog/security/adobe-suggests-workaround-for- pdf-embedded-executable-hack/6028?p=6028&tag=rbxccnbzd1 Workaround for the embedded executable hackhttp://www.zdnet.com/blog/security/adobe-suggests-workaround-for- pdf-embedded-executable-hack/6028?p=6028&tag=rbxccnbzd1 http://www.zdnet.com/blog/security/malware-watch-rogue-facebook- apps-fake-amazon-orders-and-bogus-adobe- updates/6480?tag=nl.e539 Bogus Adobe updateshttp://www.zdnet.com/blog/security/malware-watch-rogue-facebook- apps-fake-amazon-orders-and-bogus-adobe- updates/6480?tag=nl.e539