Jeremy Conway, product manager at NitroSecurity, has created a proof-of-concept attack that injects malicious code into a clean PDF file on a computer as part of an incremental update. The attack, highlighted in a demonstration video produced by Conway, requires some user interaction, as a dialog box must be navigated. But the attacker could at least partially control the content of the dialog box, creating possible scenarios for a social engineering attack.
The proof of concept capitalizes on research conducted by Didier Stevens released last week. Stevens showed how a launch action triggered by the opening of a PDF enabled him to execute code embedded in the PDF and partly control the message displayed by the dialog box. "Foxit Reader displays no warning at all, the action gets executed without user interaction", he said.
"There is more that can be done with this hack that may not be apparent at first glance," said Conway in a blog post responding to Stevens' research. "My code could easily be adapted or modified to infect every single PDF file on a user’s computer or accessible to the user via network mapped drives without changing the physical appearance of these newly infected PDF files. This means PDF files that have been stored on the user’s computer for years and are trusted could now house any sort of badness and/or evil I chose to update them with."
FoxIt Corporation announced version 3.2.1.0401 of its Foxit PDF Reader, which addresses the issues found by Stevens, making it easier to spot executable code being launched from within a PDF.
Stevens submitted his information to the Adobe Product Security Incident Response Team, but as of today, nothing had been posted on the blog in response.