NEWS FROM THE LAB - Wednesday, March 31, 2010

Does PDF stand for Problematic Document Format? Posted by Mikko @ 13:53 GMT

Adobe's PDF Reader gets lots of criticism for poor security. However, the problems go beyond one specific PDF reader brand.

Have you ever looked at the specifications for the PDF file format? You can download them from here (PDF). They're 756 pages long. For real.

There's some crazy stuff in the PDF specs.

Take a look at these.

PDF specs

You can embed movies and songs. Into a PDF file. What?

PDF specs

PDF files can contain 3D objects, complete with embedded JavaScript? Who comes up with these things?

PDF specs

PDFs can have forms. That's fine. But why do we need functionality where such forms can submit the data you input directly to a server somewhere on the net?

PDF specs

There's a function within PDF specs to launch executables. Or to run JavaScript. Why do we need these things?

With specs like these, it's no wonder it takes ages for Adobe Reader to boot up and load all the plugins.

It's no wonder there are regular security problems with PDF readers in general.

The perfect example is the "Escape from PDF" demo from Didier Stevens' blog.

Users of Foxit Reader: try opening Didier's demo PDF file. After opening, it will run CMD.EXE on your system; no questions asked. And this is a legitimate PDF file which uses no exploits.

One way to reduce your risk is not to download PDF files from the web to your machine at all. Instead of opening the files on your local machine, you can open them remotely in viewers like Google Docs. This process can be made completely automatic with plugins like gPDF (for Chrome/Opera/Firefox/Iron). Do note that it will only work with PDF files you access in the public web.

Otherwise, our guidance would be to use a PDF reader that's as unpopular as possible. The less users a product has, the less attacks it will attract.

Updated to add: A press representative of Foxit software sent us a message via our weblog@ address. Foxit is working on an update/fix for their reader. See this post's comments for more details.