Adobe PDF documents might compromise your PC, according to a security
researcher. Petko Petkov, a "creative hacker" who has previously found that Windows Media Player can harbor malicious files and that there's a critical bug in the way the Firefox browser works with QuickTime, is now reporting problems with PDFs.
Petkov said he has tested the issue with Windows XP Service Pack 2 and the latest Adobe Reader 8.1, but said that previous versions of Reader are also vulnerable.
For users, he is advising only one course of action at the moment. Users should not "open any PDF files (locally or remotely)," he wrote, adding that other PDF viewers besides Adobe Reader could also be affected.
Invisibly and Unwillingly
"Adobe Acrobat/Reader PDF documents can be used to compromise your Windows box," he wrote Thursday on his blog. "Completely!!! Invisibly and unwillingly!!! All it takes is to open a PDF document or stumble across a page which embeds one."
He described the issue as a high-risk vulnerability of critical importance, given PDF's popularity for business use. PDFs are frequently used to distribute press releases, contracts, designs, manuals, and other material that the creator does not want altered.
Petkov said that because of the importance of PDF as a format, and the fact that "it may take a while for Adobe to fix their closed source product," he would not be publishing any code until Adobe has issued an update. He has reported that Adobe has confirmed the issue.
Best Course of Action?
This would not be the first time that PDFs have been considered security risks, but some observers note that previous attacks were designed for specific versions, while the risk uncovered by Petkov might be for all PDFs. This could point to a serious underlying flaw in the format or the way readers work.
Some PDF users are saying they are not pleased about the lack of advice. "What am I supposed to do now when I turn up for work in the morning?" wrote one user named "fatman," who commented on Petkov's blog.
"What do I say to my users? Sorry guys. Don't open any PDFs for the foreseeable future until either Adobe patch (sic) their iffy product or PDP" -- meaning Petkov -- "decides graciously to at least give us some clues as to where the problem is."
The commenter suggested that it would have been better for Petkov to tell Adobe about the issue and then either keep it to himself or publish information so businesses reliant on PDFs could make an informed decision.
For instance, he asked, does this vulnerability mean "full compromise of systems where users run without admin privileges?" Petkov responded by posting a silent video that he said demonstrated the problem, although security expert Thor Larholm commented on Petkov's site that the video is a "little light on the details."