Recently, there has been alot of hype involving backdooring various web technologies. PDF documents are one of them. A British security researcher has figured out a way to manipulate legitimate features in Adobe PDF files to open back doors for computer attacks.
David Kierznowski, has posted a proof-of-concept code on his blog. and rigged PDF files to demonstrate how the Adobe Reader program could be used to launch attacks without any user action.
PDF documents seem obviously vulnerable. This is due to the fact that it supports JavaScript. However, there are quite a few twists and turns. It is by no means as straight forward as this.
Adobe supports its own JavaScript object model. For example, “alert(’xss’)” must be called from the app object, so this becomes “app.alert(’xss’)”. This means JavaScript attacks are limited to the functionality supported within Adobe. Secondly, Adobe Reader and Adobe Professional are very different with regards to which JavaScript objects are allowed.
Read all from PDF Back Doors
This article will give two practical examples of how Adobe Professional and Adobe Reader can be backdoored. There are 7 or more points where an attacker can launch malicious code. Both of the attacks discussed below are attached to the “Page Open” event.
These vulnerabilities are very critical and advanced attacks could be more devastating. A spokesperson from Adobe’s product security incident response team said the company is aware of Kierznowski’s discovery and is “actively investigating” the issue. Lets see when the patch comes up.
