0

Something I was wondering about after reading Didier Stevens Labs 2008 post: There are endless ways described how to put potential malicious content into a pdf file, while making it impossible for mask-based scanners to detect the content. If a pdf reader tries to parse such a compressed string it could happen that there is a zip-bomb included, or other malware. Therefore I was wondering if there is already a way to filter the potential malicious compressed parts out without removing the essential parts.

smci
  • 203
  • 1
  • 7
arc_lupus
  • 209
  • 1
  • 10

2 Answers2

5

For security reasons, it is regularly recommended to disable Javascript in Adobe Acrobat Reader. When it becomes strictly needed, Acrobat Reader will show a popup allowing to enable Javascript on a case-per-case basis.

Moreover, other safety measures may include to:

  • Use a less widely used and lighter PDF reader when Adobe Acrobat specific functionalities are not needed (DRM encrypted file, advanced forms, etc.),
  • Disable the browser's builtin PDF reader and prefer using a standalone reader software,
  • Moreover, on Windows environments, additional tools such as Microsoft EMET has shown to be effective against several buffer overflows affecting Adobe Acrobat Reader.

So, final word: do not trust PDF files to be safe...

WhiteWinterWolf
  • 19,082
  • 4
  • 58
  • 104
  • My problem is that I have no influence which reader is going to be used, I have to filter out the potential malicious files before they reach the target pc. – arc_lupus May 05 '15 at 12:58
  • An upstream anti-virus scan is your best bet so answer such a requirement. But, you would be right to think that it will not be able to filter everything, all known and unknown threats (despite some of their claims...). That's why you need to implement in-depth defense and have some security implemented on the end-user desktop environment too. – WhiteWinterWolf May 05 '15 at 13:03
  • No internet connection available, that is my second problem (otherwise I would have used the virustotal access). – arc_lupus May 05 '15 at 13:13
  • I meant an anti-virus installed on a machine which will be in measure to scan the file before it is available to the end-user (installed on the mail or file server for instance). If there is no Internet access, a special care should be taken to apply offline signature database updates to the anti-virus. – WhiteWinterWolf May 05 '15 at 17:36
  • @WhiteWinterWolf I only use Chrome PDF to read pdfs do you think this is dangerous ? Could you clarify why one should not use browsers built-in PDF readers? At least on chrome it is sandboxed and can't touch your PC, and you can see PDFs from web without needing to download them in first place – Freedo May 06 '15 at 02:40
  • Avoid using a bundled reader is a safety measure, but it is not as critical as, let's say, disabling Javascript in Adobe Reader. It's up to you to measure the benefit of using it against possible risks. The main risk here is that such kind of PDF readers being widely used (especially if it is in fact Adobe PDF browser plugin, available for all main browsers), they are more targeted which may expose yourself to more threats than a less widely used external PDF reader. – WhiteWinterWolf May 06 '15 at 08:35
4

"Safe" in Information Security means "the level of risk associated with this activity is one I am prepared to accept". There are risks in opening any potentially malicious file; and as with any risk, you either treat it, terminate it, tolerate it, or transfer it.

With PDF files, most people do a mixture of terminate and tolerate, by which I mean they try to avoid opening PDF files from dodgy sources, but otherwise they tolerate the risk and open the files because they need to work with documents in a well supported format.

Graham Hill
  • 15,394
  • 37
  • 62
  • 1
    How do you handle pdfs from multiple sources, some which are potentially malicious, then, without knowing which are malicious, but you need the content of them? – arc_lupus May 05 '15 at 12:50
  • @arc-lupus This is precisely why security is done in layers. If, say you have an HR e-mail address that regularly gets PDFs from multiple unknown sources (resumes) it would be ideal to have the machine where those are viewed be more heavily restricted in what it can do on the network, and more closely monitored. If someone is planting malware in a PDF, they probably want to use it as a way to get into the network, or a way to cause havok on the network. If you limit what that computer can get to, you reduce the risk. – Rod MacPherson May 05 '15 at 13:09
  • If you cannot tolerate or terminate, then you treat or transfer. You always end up doing one of the four. In this case most people will treat, for example with Rod's idea of a special machine (maybe a VM?) for opening these files. They could also transfer; go through an employment agency, for example, and have them open all the PDF files. – Graham Hill May 05 '15 at 13:23