But I wouldn't worry about those security holes; they've for the most part been repaired. No, right now I'm freaked out by what this pair did next. They took the test group of PDFs and ran them on Adobe Reader for Windows, Linux, and OSX. They found all the same security holes that the Chrome plugin had - and many more.
You might be wondering how an ebook format like PDFs could be such a danger. The first thing you should know is that PDFs are not an ebook format. Yes, everyone thinks of them that way, but PDF spec was originally conceived as a way for a publisher to send a document to a commercial printer; it wasn't originally planned to be used in common circulation. But after PDFs got out into the wild, everyone started using the file format to do more and more things. Adobe kept adding to the spec, integrating more features, and eventually we arrived at the point where we are now.
I'm sure you know that you can embedded a form in a PDF, but did you know that you can render a 3D model, play a video, or what have you inside of a PDF? What's more, a PDF can actually execute commands in your OS (check out the video at the end). You can do all this because PDFs are not documents so much as they are apps running inside Adobe Reader. Please keep that in mind as you read the rest of the post; it will scare the crap out of you.
So the 2 Google developers started testing Adobe Reader. They found all the same security holes as on the Chrome plugin, and then after analyzing their results they found more. This research took place in earlier this year, and by June the pair had a solid list of some 60 plus security holes that needed to be repaired, including some which would have enabled a hacker to remotely run code on your computer. They forwarded the list to Adobe, and then went on to other work.
So why did it take so long for the story to come out? These are responsible researchers, so they first gave Adobe a chance to fix the issues - or not fix them, as the case may be.
The pair posted their data last week because they learned that Adobe hadn't fixed all the security holes. While Adobe has issued patches for OSX and Windows that repair many of the reported issues, Adobe also left some of the security holes unpatched. Mateusz and Gynvael are reporting that no less than 16 security holes on the Windows or OSX version of Adobe Reader remain unpatched. And the situation for Linux is even worse. According to Mateusz and Gynvael, Adobe hasn't released any updates for that version of Adobe Reader, none at all. To put it simply, if you're using Adobe Reader on Linux your ass is hanging out there.
While the researchers don't know for a fact that any hacker is currently exploiting the security holes, they did point out that it would be trivial to compare the 2 most recent versions of the Windows Adobe Reader app to find ways yo attack the Linux Adobe Reader app.
Chaos, Panic, and Adobe
Folks, at this point I strongly urge you to treat all PDFs like you would treat apps. You wouldn't download an app from just anywhere, would you? I'm sure you know that is a security risk which could harm your computer, and the same is true for PDFs. I wouldn't touch a PDF unless I can verify the source.In my opinion, paranoia is not an unreasonable reaction - not today.
P.S. If you'd like hear more about what can be done with PDFs, check out this video. Last year a security researcher gave a conference presentation on PDFs titled OMG WTF PDFs.
image by Tim Morgan