

Implications of Recent PDF /Launch Hacks - jeffreyg
http://siemblog.com/2010/04/implications-of-recent-pdf-launch-hacks/

======
swolchok
This looks like it's on topic and might make some interesting points, but it's
just plain tl;dr, and the formatting doesn't help. I read the first paragraph
or two, clicked over to the description of the attack being referenced, and
then couldn't make it through the rest of the wall of text. If it's really as
concise as it can get, I would recommend substantially reducing the column
width.

(This is intended as constructive criticism, not Internet rage, but I'm open
to constructive criticism of my methods for same.)

~~~
ax0n
Basically: in the dystopia that is the Internet, all PDFs could be considered
a potential exploit vector by incident response teams cleaning up a corporate
malware infestation. Discussed is a plausible scheme (edit: with a PoC)
wherein all PDFs with write-access by the victim on a given system are
infected virally with the same PDF/Launch code as the initial infected PDF.
The result being even after a clean re-image and restore of all seemingly-
harmless files, the infected PDFs remain and re-infection is likely.

It's no secret that PDF/Launch can be used to execute an attached binary.
Didier's work shows a way to modify the dialog box's contents that ask for the
user's approval to launch, giving the attacker the ability to craft a much
softer-sounding "ok/cancel" situation or one that is more likely to result in
the user allowing the attachment to launch.

As an info-sec guy, and with all the Adobe crap lately, I have to say that the
article's author's opinion: "Do you really think the incident response team
will suspect every single PDF file on the user’s computer as being involved? I
seriously doubt it." doesn't hold much water. I might very likely suspect PDF
as the attack vector and would likely refuse to restore these files without
taking a much closer look at them.

