Speaking at the 27th Chaos Computer Club conference in Germany last week, Wolf said that it is possible to create a PDF file that displays different data on different operating system platforms.
But it goes further than this, as the FireEye researcher added that different PDF data can be shown, depending on the users' browser software and even the host computer's language settings.
Reporting on the hitherto unknown potential security issues with Adobe PDF, Stefan Krempl of the Heisse Online newswire, quotes Wolf as saying that there are other risks are generated through the support of inherently insecure script languages such as JavaScript, formats such as XML, RFID tags and digital rights management (DRM) technologies.
"According to Wolf, Adobe itself calls PDF a 'container format’ which may indeed hold a variety of things. For example, it is possible to integrate Flash files, which themselves offer many points of attack, as well as audio and video files", says Krempl.
The situation is made potentially worse by the fact that the Adobe PDF file format – which was originally designed to allow document and image files to be displayed between different computer platforms – as many places for hiding arbitrary data and code.
What is interesting from an IT security perspective, however, Infosecurity notes, is that Wolf claims that all Adobe PDF document and metadata can be read and edited via the JavaScript extensible code programming language.
"Even files compressed in formats such as ZIP, which allow further arbitrary objects to be embedded via comments, can reportedly be integrated", notes Krempl.
"Wolf added that it is also possible to generate very small PDF files which only execute JavaScript, and that certain objects can be referenced multiple times to trigger different responses when opening a file", he added.
The situation is made potentially worse, as Wolf claims that most IT security software cannot detect malware within a PDF – with more than half of security scanners failing to pick up on the presence of malware within a given Adobe PDF file.
The good news, however, is that Adobe appears to be aware of these shortcomings and is planning a memory sandbox feature that allows program code to be executed separately in secure mode.