PDF = Potential Death File?

I suggest you tell your browsers to change how it handles .pdf files so that instead of displaying them in your browser it will download them. Sven Vetsch has written about a flaw found by found by Stefano Di Paola and Giorgio Fedon (who presented this at CCC, link) in which a .pdf file can run arbitrary JavaScript on the site hosting the file. It seems that just host hosting PDFs you are putting your sites users at risk to all the evil doings JavaScript can perform. If you want to find out more about the flaw I suggest you read the afore-linked blog post, or gnucitizen’s take on it (which has a PoC on it). What I am more interested in right now is fixing the issue.

Obviously a plugin upgrade would be nice, but what about between then and now? I’d be happy if we could get a fix out quickly for web masters to apply to their sites but since the part of the url after the hash is never sent the server (which in this case is what holds the malicous code) any server side solution is pretty much impossible.
Oh what a fun start to the new year eh? On a more light hearted note, first person to see a SPAM email using this technique wins a virtual cookie from me.

Share
  • http://www.disenchant.ch Disenchant / Sven Vetsch

    As I just added to my blog entry and wrote to the mailinglists:

    It seems that I didn’t copy paste the credits out of my document I wrote with the content of this entry :(
    Of course I’ve to give some credit to Stefano Di Paola and Giorgio Fedon because they found this flaw and not me at all.
    As you see, I edited my blog entry. Next time I’ll be more careful and perhaps don’t write blog entries when I’m as tired as I was when I wrote it.

  • http://www.whiteacid.org Sid

    Thanks for that, I’ve edited the post to give them credit too.

  • http://www.whiteacid.org Sid

    Not sure how I didn’t think of this sooner? I imagine that if you told Apache to serve .pdf files as application/octet then users would be forced to download the file, which makes them safe.

  • http://anti-virus-rants.blogspot.com kurt wismer

    “Obviously a plugin upgrade would be nice, but what about between then and now?”

    in the mean time uninstall adobe reader and install foxit pdf reader which (unless they’ve made improvements since the version i got) doesn’t have browser integration…

    honestly, having pdf’s automatically download and open in a reader is not significantly different from a usability perspective from having them open in your browser…

  • http://www.whiteacid.org Sid

    Yes, That’s pretty much similair to telling your browser to download the file instead of using the plugin. I was ideally looking for a server side solution as you’d want to help people without the knowledge people in the security world have.

    Serving pdfs are application/octect does work, and I can’t see how that would break anything as a pdf is never embedded on a page the way for instance a .mov file can be.

  • Jason DePriest

    For Firefox, there is the nifty add-on / extension called PDF Download that lets you choose what to do with each PDF: download, view in browser, view as html, view it with your OS’ configured app (but not in the browser) for PDFs.

    https://addons.mozilla.org/firefox/636/

  • http://www.whiteacid.org Sid

    Thanks for that, nice addon.

  • Mune

    How do I disable my PDF?

  • http://www.whiteacid.org Sid

    In IE7 (not sure if this is even vulnerable):
    Tools > Manage Addons > Enable or disable addons > Select the “Adobe Reader Link Helper”, tick the “Disabled” option and press “ok”

    In Firefox:
    Tools > Options > “Content” tab > “Manage” button in the “file types” section > Then change or remove the event associated with PDF files.

    In Opera:
    Tool > Preferences > “advanced” tab > “downloads” section > Find the item in the list with file extension “pdf” and change it’s MIME type to “application/octet”

  • http://www.whiteacid.org Sid
  • aliane

    Hi, this flaw has no effects with IE 7 and Adobe Acrobat 7.0 Professional version 7.0.0

  • http://weblogs.macromedia.com/jd John Dowdell

    “Obviously a plugin upgrade would be nice…”

    You’re aware that this browser-specific cross-domain JavaScript request was blocked out in last autumn’s release of Adobe Reader 8, right? This info was in the original notes published by Stefano and Giorgio.

    (Other PDF readers tend not to support the use of viewing parameters in the URL at all, and so don’t pass JavaScript requests to the browser that way. As Leonard Rosenthol noted, back versions of Reader were already being updated for those who had to stay in the 7.x generation, but the histrionic headlines beat these to delivery.)

    jd/adobe

  • http://www.whiteacid.org Sid

    Thanks for that John, yes, I realised this a short while after posting this.

  • http://weblogs.macromedia.com/jd John Dowdell

    Cool, thanks. The Associated Press version got syndicated widely today, but it didn’t include that useful bit of info.

    jd

  • Stephen Turner

    As an end user I need to know how to protect myself. If the PC’s are centrally controlled it seems like one is helpless. In many cases the user is not allowed to change settings or is blocked from doing so.

  • http://www.whiteacid.org Sid

    Stephen: I can’t think of anything you can do in that case short of using portable firefox (or a portable version of another browser). But I realise that can cause problems such as proxy settings or that your company may not allow you to use memory sticks.