digg

Facebook Connect Join Digg About

Hacker Discovers Adobe PDF Back Doors

eweek.com David Kierznowski, a penetration testing expert specializing in Web application testing, has released proof-of-concept code and rigged PDF files to demonstrate how the Adobe Reader program could be used to launch attacks without any user action.

Who dugg this? Made popular Sep 16, 2006

Digg DudeWhat is Digg?

Digg is a place for people to discover and share content from anywhere on the web. Digg surfaces the best stuff as submitted and voted on by the community. Take the Tour to learn more.

20 Comments

show profanity settings
expand all
  • KnightMareInc, on 10/12/2007, -4/+29foxit!
  • Brennan, on 10/12/2007, -2/+27Penetration Expert...
  • mpeg, on 10/12/2007, -0/+22penetration expert discovers back door?
    big deal... :)
  • Agret, on 10/12/2007, -1/+21Overview:
    http://www.foxitsoftware.com/pdf/rd_intro.php

    Download:
    http://www.foxitsoftware.com/pdf/reader_2/down_reader.htm
  • InkTank, on 10/12/2007, -0/+14The exact words were "penetration testing expert"
  • bitcloud, on 10/12/2007, -0/+7Like for example... writing secure code...
  • ikkysleepy, on 10/12/2007, -0/+5The demonstrations did not work for me because I tweaked my Adobe Reader using: Reader SpeedUp: http://www.tnk-bootblock.co.uk/software/index.php?type=supported&id=7F7290B5
    Instead I got an error saying the plug-in was not installed.
  • lolage, on 10/12/2007, -0/+3Title articles properly. For ***** sake. The current title leads the user to believe adobe has built backdoors into the application. Now get me a coffee.
  • deadbaby, on 10/12/2007, -0/+3People don't expect PDF files to contain executable code. Very easy to trick them with this exploit.
  • br0ck, on 10/12/2007, -0/+2No user interaction is required. A page could just have a 1x1 pixel iFrame with a src pointing to the malicious PDF file.
  • ICSU, on 10/12/2007, -0/+2answer: use foxit
  • inactive, on 10/12/2007, -1/+3does this effect foxit??? if you still use adobe reader i suggest you uninstall and try foxit, once you do, you will never go back, all the bloat is removed, no yahoo installs, or anything its great!,
  • andreo, on 10/12/2007, -0/+1Why people still use Adobe reader is beyond me. All the hooks that it wants to sink into your OS, the huge download. All to read a PDF file.
    And I swear it seems that the program gets 5 megs bigger every 2 years or so.

    Foxit works fine. 3MB vs Adobe at a bit past 20. Heck, it may be even more. I'm sure it will want to go back to the net to grab other crap to install with it.
  • Wardvark, on 10/12/2007, -5/+5Preview!
  • C0D3R, on 10/12/2007, -2/+1Buried as inaccurate. Opening a malicious PDF file is user interaction. And it isn't considered a backdoor when the Adobe functionality is by (albeit poor) design.
  • Widgy, on 10/12/2007, -1/+0Great story
  • r00tus3r, on 10/12/2007, -3/+1I always hated this bloody stupid pdf format!
  • accurrent, on 10/12/2007, -5/+0Without user action? I was under the assumption that opening a PDF was a user action, but hey, that's just me.
    Some of these aren't even vulnerabilities. If launching a web page is a vulnerability than hyperlinks themselves are security vulnerabilities.
  • JrGhoull, on 10/12/2007, -10/+0isnt it said and basically accepted that (practically) all programs can be hacked? this sorta stuff seems to at least somewhat prove it...with enough computer knowledge and some imagination anythings possible though i guess.
  • DannySpace, on 10/12/2007, -16/+4Thanks for the idea!

  • Add a Comment

    Login or register to comment!
    Or, sign-in super fast with your Facebook account ...


© Digg Inc. 2009 — Content created and posted by Digg users is dedicated to the public domain | Terms of Use Updated | Privacy Policy
DIGG, DIGG IT, DUGG, DIGG THIS, Digg graphics, logos, designs, page headers, button icons, scripts, and other service names are the trademarks of Digg Inc.