Is is possible to receive an "infected" pdf?

[Coal Porter]

Hi folks,

Ya' know, it's just about impossible to google on _any reported virus incident
pdf file_

Somebody sent me a .doc the other day. I'd normally just use the powerdesk
viewer to look at it but I had to print it and to do that, pd launched word. It
got me thinkin'<g>: Any chance of getting a virus from launching a .pdf file?
Any macros run in these pdfs? Does imbedded exe, AciveX , that kind o' thing
apply to .pdf or has Adobe developed a truly safe attachment?

Also, I was wondering about other types of files. I remember being told that
it's possible to get hit by an .hlp and I've seen .scr as a potential culprit.
On the .hlp type, I beleive there's never been one in the wild, only
lab/theoretical. Given that a user practices pretty good download behavior and
runs a major anti-vi product with up-to-date definitions: what are the odds that
an hlp or scr, an otherwise atypical virus carrying attachment/dl, will cause an
infection? Isn't it generally true that once a virus is out, the anti-vi has
been configured relatively soon thereafter to fight an infection? IOW, unless
you hear about a new hlp or scr virus, your current anti-vi will catch
reasonably catch anything harmful headed yer way?

Where does everybody go when they want to scope out a particular file type just
because of [a relentless and insatiable, geeklike] curisity

Thanks for reading-c.porter.

 

[David H. Lipman]

Yes, PDF files are infectable plus they are the target of the payload like deletion....

Please reference:

http://vil.nai.com/vil/content/v_99179.htm

http://vil.nai.com/vil/content/v_100269.htm

Dave

|
| Hi folks,
|
| Ya' know, it's just about impossible to google on _any reported virus incident
| pdf file_
|
| Somebody sent me a .doc the other day. I'd normally just use the powerdesk
| viewer to look at it but I had to print it and to do that, pd launched word. It
| got me thinkin'<g>: Any chance of getting a virus from launching a .pdf file?
| Any macros run in these pdfs? Does imbedded exe, AciveX , that kind o' thing
| apply to .pdf or has Adobe developed a truly safe attachment?
|
| Also, I was wondering about other types of files. I remember being told that
| it's possible to get hit by an .hlp and I've seen .scr as a potential culprit.
| On the .hlp type, I beleive there's never been one in the wild, only
| lab/theoretical. Given that a user practices pretty good download behavior and
| runs a major anti-vi product with up-to-date definitions: what are the odds that
| an hlp or scr, an otherwise atypical virus carrying attachment/dl, will cause an
| infection? Isn't it generally true that once a virus is out, the anti-vi has
| been configured relatively soon thereafter to fight an infection? IOW, unless
| you hear about a new hlp or scr virus, your current anti-vi will catch
| reasonably catch anything harmful headed yer way?
|
| Where does everybody go when they want to scope out a particular file type just
| because of [a relentless and insatiable, geeklike] curisity
|
| Thanks for reading-c.porter.

 

[null]

Hi folks,

Ya' know, it's just about impossible to google on _any reported virus incident
pdf file_

Somebody sent me a .doc the other day. I'd normally just use the powerdesk
viewer to look at it but I had to print it and to do that, pd launched word. It
got me thinkin'<g>: Any chance of getting a virus from launching a .pdf file?
Any macros run in these pdfs? Does imbedded exe, AciveX , that kind o' thing
apply to .pdf or has Adobe developed a truly safe attachment?

Here's an old vulnerability and exploit due to embedded Java Script in
a pdf file:

http://securityresponse.symantec.com/avcenter/venc/data/w32.yourde.html

Dunno what the situation is with the latest Adobe version(s) but it's
a good idea to av scan the files.

Also, I was wondering about other types of files. I remember being told that
it's possible to get hit by an .hlp and I've seen .scr as a potential culprit.

..SCR (screen savers) files are executeable by a (default) system, and
they are very popular infection vehicles with malware writers. There
are several hundred file extensions that may contain malware.

On the .hlp type, I beleive there's never been one in the wild, only
lab/theoretical.

Sorry to have to bring you out of fantasy land:

http://www.viruslist.com/eng/viruslist.html?id=3062

Given that a user practices pretty good download behavior and
runs a major anti-vi product with up-to-date definitions: what are the odds that
an hlp or scr, an otherwise atypical virus carrying attachment/dl, will cause an
infection?

Depends on the user and the antivirus product. Users without much of a
clue will likely get nailed sooner or later regardless of what
software they use for protection.

Isn't it generally true that once a virus is out, the anti-vi has
been configured relatively soon thereafter to fight an infection? IOW, unless
you hear about a new hlp or scr virus, your current anti-vi will catch
reasonably catch anything harmful headed yer way?

Keeping a _good_ av product up to date is quite helpful and important
but it's just one item among many:

http://www.claymania.com/safe-hex.html

Where does everybody go when they want to scope out a particular file type just
because of [a relentless and insatiable, geeklike] curisity

Google is your friend


Art
http://www.epix.net/~artnpeg

 

[David H. Lipman]

Art:

Just to spice up the reply.....


For Public Release]
-----BEGIN PGP SIGNED MESSAGE-----



__________________________________________________________

The U.S. Department of Energy
Computer Incident Advisory Capability
___ __ __ _ ___
/ | /_\ /
\___ __|__ / \ \___
__________________________________________________________

INFORMATION BULLETIN

UNIX PDF readers/viewers Malicious Hyperlinks Vulnerability

June 19, 2003 18:00 GMT Number N-107
______________________________________________________________________________
PROBLEM: A vulnerability in various UNIX PDF readers/viewers has been
found where remote attackers could embed malicious external-type
hyperlinks in PDF files allowing access to a victim's system.
This applies only to PDF readers on UNIX/Linux systems.
Readers on Windows and Macintosh systems are not vulnerable.
PLATFORM: - Red Hat Linux versions: 9.0, 8.0, 7.3, 7.2, and 7.1
- Sun Linux v5.0 (no patch information yet)
- Sun Solaris (no patch information yet)
- HP/UX (no patch information yet)
- AIX (no patch information yet)
DAMAGE: If a victim clicks on a malicious hyperlink, an attacker could
execute arbitrary shell commands with the victim's privileges.
SOLUTIONS: - Apply vendor patches when available.
- Upgrade to Adobe Reader v5.07 or XPDF 2.02 pl1 (open-source
version).
- Monitor CERT's Vulnerability Note VU#200132 for updated vendor
information.
______________________________________________________________________________
VULNERABILITY The risk is MEDIUM. This vulnerability is possible because some
ASSESSMENT: UNIX/Linux PDF readers/viewers spawn external programs to
handle hyperlinks by invoking the shell command interpreter.
______________________________________________________________________________
LINKS:
CIAC BULLETIN: http://www.ciac.org/ciac/bulletins/n-107.shtml
ORIGINAL BULLETIN: https://rhn.redhat.com/errata/RHSA-2003-196.html
ADDITIONAL CERT:
INFORMATION: http://www.kb.cert.org/vuls/id/200132
Adobe Reader:
http://www.adobe.com/products/acrobat/readstep2.html
XPDF:
http://www.foolabs.com/xpdf/about.html
______________________________________________________________________________



-----BEGIN PGP SIGNATURE-----
Version: 4.0 Business Edition

iQCVAwUBPvIakLnzJzdsy3QZAQH95wP+MS/aOMEc1LvmngcLrgaYjH5Dq5l1gieV
YT29RHByeFHHug9/3NQgMRz8WYJ9GMrkGzHBt27oj/8v7ZBFRFmBgEYnjm4C6Z/R
ildeNh3rq+MY1ePTXPRR8NkWGmib7zv+DXHQc2keiGAZgWnvDQ5lu6MH6BqZNf9E
QFf0Zxc1S3M=
=hqUF
-----END PGP SIGNATURE-----



Dave


| On Mon, 15 Sep 2003 17:27:05 -0400, Coal Porter
|
| >
| >Hi folks,
| >
| >Ya' know, it's just about impossible to google on _any reported virus incident
| >pdf file_
| >
| >Somebody sent me a .doc the other day. I'd normally just use the powerdesk
| >viewer to look at it but I had to print it and to do that, pd launched word. It
| >got me thinkin'<g>: Any chance of getting a virus from launching a .pdf file?
| >Any macros run in these pdfs? Does imbedded exe, AciveX , that kind o' thing
| >apply to .pdf or has Adobe developed a truly safe attachment?
|
| Here's an old vulnerability and exploit due to embedded Java Script in
| a pdf file:
|
| http://securityresponse.symantec.com/avcenter/venc/data/w32.yourde.html
|
| Dunno what the situation is with the latest Adobe version(s) but it's
| a good idea to av scan the files.
|
| >Also, I was wondering about other types of files. I remember being told that
| >it's possible to get hit by an .hlp and I've seen .scr as a potential culprit.
|
| .SCR (screen savers) files are executeable by a (default) system, and
| they are very popular infection vehicles with malware writers. There
| are several hundred file extensions that may contain malware.
|
| >On the .hlp type, I beleive there's never been one in the wild, only
| >lab/theoretical.
|
| Sorry to have to bring you out of fantasy land:
|
| http://www.viruslist.com/eng/viruslist.html?id=3062
|
| >Given that a user practices pretty good download behavior and
| >runs a major anti-vi product with up-to-date definitions: what are the odds that
| >an hlp or scr, an otherwise atypical virus carrying attachment/dl, will cause an
| >infection?
|
| Depends on the user and the antivirus product. Users without much of a
| clue will likely get nailed sooner or later regardless of what
| software they use for protection.
|
| >Isn't it generally true that once a virus is out, the anti-vi has
| >been configured relatively soon thereafter to fight an infection? IOW, unless
| >you hear about a new hlp or scr virus, your current anti-vi will catch
| >reasonably catch anything harmful headed yer way?
|
| Keeping a _good_ av product up to date is quite helpful and important
| but it's just one item among many:
|
| http://www.claymania.com/safe-hex.html
|
| >Where does everybody go when they want to scope out a particular file type just
| >because of [a relentless and insatiable, geeklike] curisity
|
| Google is your friend
|
|
| Art
| http://www.epix.net/~artnpeg

 

[FromTheRafters]

Possible, yes.

http://securityresponse.symantec.com/avcenter/venc/data/[email protected]

Hi folks,

Ya' know, it's just about impossible to google on _any reported virus incident
pdf file_

Use a less wordy search, something like worm pdf or virus pdf.

Somebody sent me a .doc the other day. I'd normally just use the powerdesk
viewer to look at it but I had to print it and to do that, pd launched word. It
got me thinkin'<g>: Any chance of getting a virus from launching a .pdf file?

According to the write up on this one, it requires the full program
and does not work if the document is opened in the "Reader" only
application. Plus, they have probably fixed this by now ~ one would
hope.

Any macros run in these pdfs? Does imbedded exe, AciveX , that kind o' thing
apply to .pdf or has Adobe developed a truly safe attachment?

Evidently Visual Basic Script is run, and the worm depends on
other Microsoft applications being present.

Also, I was wondering about other types of files. I remember being told that
it's possible to get hit by an .hlp and I've seen .scr as a potential culprit.
On the .hlp type, I beleive there's never been one in the wild, only
lab/theoretical.
http://www.zdnet.de/itsupport/virencenter/dict/virus/virus3981-wc.html

Given that a user practices pretty good download behavior and
runs a major anti-vi product with up-to-date definitions: what are the odds that
an hlp or scr, an otherwise atypical virus carrying attachment/dl, will cause an
infection?

Pretty good practices still leaves a pretty good chance. ;o)

Isn't it generally true that once a virus is out, the anti-vi has
been configured relatively soon thereafter to fight an infection?

Something that makes itself an obvious nuisance usually gets
attention and is dealt with as quickly as possible. Worms have
lately been trying to exploit the time lag to spread as quickly
as possible in as little time as possible and as such get noticed
very quickly.

I would worry more about viruses and trojan applications that
attempt to go unnoticed for as long as is possible to remain as
effective as they can.

IOW, unless
you hear about a new hlp or scr virus, your current anti-vi will catch
reasonably catch anything harmful headed yer way?

Wrong headedness. You cannot depend on your auntie Violet. ;o)

...seriously ~ you shouldn't put too much faith in anti-virus programs,
despite what they say, they are *not* solutions but merely tools to
help you.

Where does everybody go when they want to scope out a particular file type just
because of [a relentless and insatiable, geeklike] curisity

Easy ~ the known safe filetypes (and extensions) are listed below.

 

[Boyd Williston]

Hi folks,

Ya' know, it's just about impossible to google on _any reported virus
incident pdf file_

Somebody sent me a .doc the other day. I'd normally just use the
powerdesk viewer to look at it but I had to print it and to do that, pd
launched word. It got me thinkin'<g>: Any chance of getting a virus
from launching a .pdf file? Any macros run in these pdfs? Does imbedded
exe, AciveX , that kind o' thing apply to .pdf or has Adobe developed a
truly safe attachment?

Also, I was wondering about other types of files. I remember being told
that it's possible to get hit by an .hlp and I've seen .scr as a
potential culprit. On the .hlp type, I beleive there's never been one
in the wild, only lab/theoretical. Given that a user practices pretty
good download behavior and runs a major anti-vi product with up-to-date
definitions: what are the odds that an hlp or scr, an otherwise
atypical virus carrying attachment/dl, will cause an infection? Isn't
it generally true that once a virus is out, the anti-vi has been
configured relatively soon thereafter to fight an infection? IOW,
unless you hear about a new hlp or scr virus, your current anti-vi will
catch reasonably catch anything harmful headed yer way?

Where does everybody go when they want to scope out a particular file
type just because of [a relentless and insatiable, geeklike] curisity

Thanks for reading-c.porter.

Whether a file can be infected has nothing to do with the 'type'. Any file
can be loaded with any code. It's whether or not the program that opens it
might execute any buried code. Go back to MS-DOS, and compare a .txt and
..bat file; either one can contain the same dangerous code (such as 'format
c:\'). Normally, the .txt file would be opened by a program that can't
execute the code, but the .bat file would be opened by the command line
interpreter, which does execute the code.

So the proper question is not 'can a .pdf file can be infected', but 'can
Acrobat Reader or Adobe Acrobat execute code'. Yes, they can.