Proactive IT Security
 

Norman Issues Malware Warning Concerning Portable Document Format

Press release

Oslo, Norway – 12 April 2010 – Norman, a leading security innovator serving single desktops to complex corporate and government networks, today issued a malware warning concerning the exploitation of how applications handle files in the Portable Document Format (PDF).

Exploits involving PDF files are usually accomplished using vulnerabilities in the applications used to read these files, like the popular free program, Adobe Reader. However, a security researcher has recently published information suggesting a two-part technique involving a special utilization of the PDF specification, combined with manipulation of a warning message.

A non-standard technique is used to launch a program embedded in the PDF file. The warning message that is displayed is then manipulated to tempt a user to accept running the embedded file. Both Adobe Reader and the alternative Foxit Reader are potentially vulnerable to this technique.

“We have no reports of malware in the wild that use this technique,” said Ståle Ekelund, Chief Technology Officer. “We believe this vulnerability could be exploited by cyber criminals for malicious purposes. We already see examples of variants, including proof-of-concepts, with infection of other PDF files. Fixing this particular problem may be difficult without changing the PDF specification itself, which is a time-consuming process”.

As a workaround Adobe has published information about how to mitigate the risks involved in this issue. A change in the program's preferences is required. We refer to the posting in Adobe Reader Blog for details:
http://blogs.adobe.com/adobereader/2010/04/didier_stevens_launch_function.html  

For more information about this issue, please go to Norman Security Center:
http://www.norman.com/security_center/security_center_archive/2010/79064/en  

For more information on this proof-of-concept attack, please go to this blog:
http://blog.didierstevens.com/2010/03/29/escape-from-pdf/


For more information, please contact:

Ståle Ekelund, Chief Technical Officer, +47 91 60 68 98, stale.ekelund@norman.com