Thread: Best ebook reader for pdf files.
View Single Post
Old 01-01-2014, 05:10 PM   #27
Sgt.Stubby
Connoisseur
Sgt.Stubby ought to be getting tired of karma fortunes by now.Sgt.Stubby ought to be getting tired of karma fortunes by now.Sgt.Stubby ought to be getting tired of karma fortunes by now.Sgt.Stubby ought to be getting tired of karma fortunes by now.Sgt.Stubby ought to be getting tired of karma fortunes by now.Sgt.Stubby ought to be getting tired of karma fortunes by now.Sgt.Stubby ought to be getting tired of karma fortunes by now.Sgt.Stubby ought to be getting tired of karma fortunes by now.Sgt.Stubby ought to be getting tired of karma fortunes by now.Sgt.Stubby ought to be getting tired of karma fortunes by now.Sgt.Stubby ought to be getting tired of karma fortunes by now.
 
Posts: 51
Karma: 530000
Join Date: Dec 2013
Device: none
Quote:
Originally Posted by HarryT View Post
That's a little misleading.

Although arbitrary programs can indeed be embedded inside a PDF, in order to activate a virus embedded in a PDF a user would have to:

1. Open the PDF Inside the full version of Adobe Acrobat.
Any PDF reader is free to interpret the contents of a PDF.
Quote:
Originally Posted by HarryT View Post
The free Adobe Acrobat Reader, Adobe Digital Editions, and all other PDF reading applications do not support embedded files and will not allow the virus to run.
All readers support embedded files. If they didn't, they would not even be able render anything, because PDF is just a *container*.

I think you're trying to say that these particular readers you mention do not support certain kinds of executable payloads. But that doesn't matter, because you cannot assume these apps are bug free. And worse, even if they were theoretically bug free, the PDF spec is defined with copious ambiguities, so PDF app developer has multiple ways to satisfy the standard, which facilitates many opportunities for exploits.
Quote:
Originally Posted by HarryT View Post
2. Double-click on the file attachment annotation inside the PDF document. This attachment cannot be run automatically – the user has to double-click on it before anything happens.
You're clearly under the impression that vulnerabilities don't exist, or that malware doesn't exploit them. Social engineering someone to get them to do something stupid is a drop in the ocean of techniques to execute malware.
Quote:
Originally Posted by HarryT View Post
3. Ignore the VERY stern warning that Acrobat will display warning you that the attachment might be malicious.
I'm betting that the PDF spec does not require player implementations to give such a warning. It's merely a good idea that one tool has voluntarily implemented, which only helps when the player is in control of the execution. Correct me if I'm wrong.
Quote:
Originally Posted by HarryT View Post
ie You have to work pretty hard to catch a virus embedded in a PDF. It cannot run automatically, and certainly not be merely opening a PDF.
You really need to get an idea of how insecure apps are that attempt to conform to the PDF spec. I highly recommend youtube vid l6eaiBIQH8k, where a security researcher just scratches the surface on the inherently insecure nature of the whole PDF format.
Sgt.Stubby is offline   Reply With Quote