Hacker News new | past | comments | ask | show | jobs | submit login
LoJax: First UEFI rootkit found in the wild, courtesy of the Sednit group (welivesecurity.com)
386 points by tcsl_armor on Sept 28, 2018 | hide | past | favorite | 86 comments

> Computrace/Lo Jack is a legitimate application that is factory installed into the firmware of nearly every laptop in the world, of all varieties. The idea is that if your laptop gets stolen, you can find it, and/or wipe it remotely. This is obviously good, and useful.

How is this so? No one's ever mentioned this when talking about stolen laptops. They talk about high level software like Prey or whatever Apple uses. How would you use this to find your laptop? There's a central server that almost every laptop on earth talks to? Seems highly doubtful.

You’d hope that’s unlikely, but unfortunately it is not. Microsoft left a backdoor in UEFI/Bootlocker to specifically support this.

It’s also had a history of major security issues, and a vendor who does not understand how to deal with vulnerability reports.

They aren’t on Apple laptops though, just most OEMs.

Personally, I think it’s absolutely fantastic that this has finally been publicly exploited in the wild and repurposed for malicious purposes, because this was called out as an obvious threat almost 10 years ago now, and none of the vendors took it seriously or cared. Now they can’t ignore it with the “we have no reports of any customers being attacked” deflection and they will likely face far more scrutiny. It’s just like what happened with the Intel ME staying under the radar for so long, but at least to Intel’s credit, they actually attempted to build security in.

Wow, that's so wrong on so many levels:

- Install more software to make it more secure

- Put secure software in the lowest ring possible to make it more secure

- "The good can use it against the bad" but not the other way round

- Proof of ownership based on "I said it first"

- Of course, closed source, because security

Sorry for the tinfoil interpretation, but I believe it's hard to convince every company to (most likely) pay for this stuff without some sort of coercion.

Looks to me like Intel ME, secure platform processors, mandatory backdoors for devices, and the likes.

> The software agent behaves like rootkit (bootkit), reinstalling a small installer agent into the Windows OS at boot time. This installer later downloads the full agent from Absolute's servers via the internet. This installer (small agent) is vulnerable to certain local attacks

And once again Linux is a solution.

I'm a full time Linux user so I'm all for fanboying, but the belief that Linux would be immune to this type of attack is naive at best.

If Linux included functionality to have the firmware legitimately push applications at boot time you’d be able to just remove that functionality.

At these levels Linux doesn't need to include the functionality. This operates below the kernel and can include its own functionality without the Kernel ever seeing it present.

Where this code lives they can sit passively by until you've decrypted your hard drive (capturing your key in the process), patch the kernel with a rootkit, and start processes or drop files that will be invisible and inaccessible to even other kernel processes.

This isn't a vulnerability in Windows, or Linux. This is drinking from a polluted pool before they come into existence and poisoning the system.

You are describing some sort of firmware modification attack. That is not what this is. If the software stub is not actively downloaded by the OS then it can't run. This exploit is very specific to a bonehead thing Windows does. No other OS (e.g. Linux) would be vulnerable.

You're talking about an attack against the agent this is designed to download, or you don't understand what a UEFI attack is. This is an attack against the UEFI part, not the agent. This isn't firmware, but it is pre-bootloader. UEFI is the bootloader that loads your bootloader and is stored not on your hard drive.

If software at this level is malicious, it has equal privileges as your BIOS before any kernel gets loaded. It doesn't matter what the operating system is, it just has to be designed for it. It can return TPM approved checksums to your kernel and continue a secure boot as long as it knew what those checksums were before it modified them. Oh you use an external drive for your unencrypted boot partition? That can be modified as it is read off disk, before you're ever prompted for a disk passphrase, and it will report the correct checksum before it gets loaded.

This is a vicious level of access for malicious software, and it is OS agnostic as far as the attack goes. THIS instance is Windows only because that is what it was targeted at.

I am talking about the attack against the agent because that was the attack that josteink stated that Linux was not susceptible to.

> If Linux included functionality to have the firmware legitimately push applications

Does it need to? Is there anything stopping the firmware dropping, say, a systemd service on the disc?

That’s not legitimate. This is a documented api the firmware can use to get Windows to run a binary at boot.

Or a start up script on SysV Init systems.

Here are some easy ways to prevent UEFI from tampering with your drive:

Disable UEFI. https://github.com/corna/me_cleaner

Disable the ACPI hooks that register the kernel with UEFI. http://heim.ifi.uio.no/~knuto/kernel/4.14/admin-guide/kernel...

Use full disk encryption - unlike Microsoft Bitlocker which left backdoors for LoJack, linux vulnerabilities are publicized and you can update as soon as the patch appears on the internet.

Switch to a filesystem that the UEFI malware does not understand. Or move fields and magic numbers around in an existing filesystem to create a "custom" filesystem.

Or a combination of all of the above.

> the belief that Linux would be immune to this type of attack is naive at best.

Certainly not. The exploit depends on Windows-specific and Windows-only behavior[1].

[1] https://news.ycombinator.com/item?id=10039870

This specific implementation does.

What's stopping firmware from patching GRUB to patch the kernel to do things it's not supposed to do? There is nothing inherent to Linux that makes it invulnerable to this kind of thing.

If you can't trust the underlying hardware or firmware, you cannot trust the machine.

But there's no technical reason this behavior must be Windows-only; it's just that way now because Linux isn't a business priority. The fundamental architecture, where UEFI software can write to a filesystem on the disk, applies to Linux installs just as much as Windows.

Using Linux is likely a good move, and encrypting your filesystem even better. But both of these could be defeated by an appropriately targeted UEFI program. I get the appeal for an enterprise that wants a chance at remotely tracking a stolen laptop, but now we can see how much power can be misappropriated when the system is compromised.

The problem here is not UEFI software being able to do nasty things to your OS disk.

Anything launched prior to your OS can do that, like boot-sector viruses of the old days.

What’s different here is how someone (with luck) can infect your firmware stealthily and deploy a UEFI payload (typically intended to provide base HW drivers with a machine) which Windows will actively detect and install and run without question.

And thus the initial agent gets deployed and installed.

Windows installs the root kit into its own FS, all by itself.

But only on Windows, because Linux does NOT look for or use that UEFI driver payload.

Linux is immune to this attack. Really.

If your entire firmware gets corrupted and replaced by a hostile material, obviously you’re screwed, but what is the chances of that happening and your machine booting?

UEFI let’s the FW signal to the OS upon boot “please install this driver blindly”, but it can’t force the OS.

Only Windows obliges to this request. Linux is immune.

Is there anything that prevents the FW from writing to the disk directly? Or patching the OS kernel in memory? Unless there are actually security mechanisms in place to assure that firmware can only politly request the OS to do something, then it is only a matter of best practices and ease that that is the mechanism used.

Can someone explain to me why this factually correct[1] comment is so heavily downvoted, as opposed to explaining how I may be mistaken?

I’m baffled to say the least.

[1] https://news.ycombinator.com/item?id=10039870

There is not just a single explanation, but I'll give it a go. 1) Many industry titans such as MS, Apple and Monsanto, just as examples, have encouraged employees to participate in forums like this in order to affect conversations and influence debates, so real users of a strong bias against uncomfortable truths/facts use down votes in a way not intended. 2) from those same types of companies, sockpuppetry has become a pervasive and powerful item in their toolbelt, accomplishing the same as above but with inorganic users and on a large scale. 3) HN has some extremely good commentators, some who have been around for a long time, but I have noticed a large careening away from the type of hackeristic dogged pursuit of truth and lack of fear of attacking power that seemed to be the core of HN in its earlier days. in particular, since the user protested and ignored rule change to "don't be negative" , where heated debates between truth to power speakers and status quo speakers tend to bring the hammer down on those against the status quo. Hence why I say HN seems to me to have become much More than ever before, MBAs who pretend to be hackers, instead of the other way around. 4) As a greybeard sysadmin type, I think many users suffer from Stockholm syndrome, and will blindly downvote (usually with no comment) attacks against their kidnappers, even if truthful.

I don’t know about Monsanto, but I have knowledge of the social media policies of both Apple and MS and you couldn’t be more wrong. Don’t mistake personal bias/company pride for an organized sock puppet campaign.

MS allows its employees to comment on matters in a personal capacity with a disclaimer indicating such.

Apple employees are not supposed to comment at all, and can be terminated for doing so.

Both explicity forbid shilling, and there is no encouragement by the company to do anything like what you’re describing. This should be obvious if one considers how many lawyers they employ whose sole job it is to prevent them from being sued, charged, or investigated.

I know folks at both companies, and while everyone is unique, I noticed that many have a lot of pride in their employer, have a strong dislike for competitors, and would likely engage in expressing their disagreement voluntarily.

Appreciate this info. Couple of questions:

1. Are there any probable/plausible examples of such manipulation? I say this from a 100% naive standpoint - literally: I've never seen it myself, so it unfortunately does work. Not to say I doubt it exists; I've read about the concept enough times that I accept that it exists.

2. Regarding (3), do you think it would be possible to cultivate that mindset again, in a different setting/environment, or are these trends influenced by the contemporary status quo? :/

2a. If you _do_ think it might be possible, I'm very interested to absorb ideas on how to create constructive discussions online. People have had more than enough interactions with the current mainstream (twitter, facebook, reddit, here, etc) to probably have _some_ idea on how to massively improve tooling/UX/etc.

1) Only one recent example of thishttps://www.seattletimes.com/business/amazon/amazon-program-...

2) I do think it is possible, but it is much more difficult to gain those users back who have fled due to those issues. It would require a public shift in forum management style that openly acknowledges it's issues, which especially in a place like this would be hard because for the most part dang et al actually do a great job and the issues we are talking about are very nuanced...

2a) If you come to some conclusions on this I'd like to hear them too. Its something I think about often, and I'm yet to find some silver bullet. I tend to gravitate towards some mishmash of past techniques, for example, I really liked Slashdot mod system, where random users were given mod ability, and instead of just points, you could label something informative, funny, etc. I also think exclusivity can be a boon, so for example invite-only forums or some other exclusion method can naturally curate conversations, but on the flip side you will tend to keep otherwise good commentators silent that way. steemit's idea of monetization via crypto of good content is another approach... none of them alone seems to be enough...

One idea I've had that's technically challenging would be some sort of AI comment judge with preselected criteria, so let's say a commentor makes many logically fallacious comments, then that person gets a temp-ban.

Another has been just purely based on comment depth/length. If a user often goes in depth, a few one sentence quips would reduce their score-weight but they could still post, but another user who only does one line quips would get a temp-ban.

in short, I don't know, but whoever figures this out is going to be a big deal

I started spending more time here specifically because these problems became more pervasive on reddit. Seems like the same thing is happening here now.

Any suggestions on where to go next?

Unfortunately I don't. one thing to keep in mind is that More specialized and specific forums tend to maintain that vibe, so instead of more generalized forums find the niche ones and watch em on RSS.

I also still enjoy irc, usenet, and deepnet sites (such as onion sites, etc) for the less mainstream, old school hacker vibe.

Your comment is incorrect as applied to the actual rootkit being discussed. It's (arguably) factually correct in isolation, but misleading.

> UEFI let’s the FW signal to the OS upon boot “please install this driver blindly”, but it can’t force the OS.

> Only Windows obliges to this request. Linux is immune.

UEFI firmware runs before the OS and with greater privileges – e.g. it has control over System Management Mode (SMM), which is hidden from the OS. It can force the OS to do whatever it wants. For example, it can modify system files on disk, which should be enough to compromise most Linux installations. If that isn't possible (because something verifies the files), it could, e.g., patch the next stage bootloader it loads (which could be GRUB or the kernel itself via EFISTUB), in memory before executing it. Or, as an easier approach, it could just add a SMI handler that patches the kernel later on.

It is true that Windows 8 and later exposes a way for UEFI to "ask it nicely" to load a given driver, without having to patch anything, namely the WPBT (Windows Platform Binary Table). As you note, this is the mechanism Lenovo used to persist Superfish. The reason it exists, however, is for anti-theft software such as Computrace/LoJack. Earlier versions of Computrace took a "brute force" route to installing its persistence driver, patching system files on disk, and there wasn't really anything Microsoft could do to stop it. So instead they decided to give them a sanctioned route to accomplish the same thing, which at least is less likely to break something in the process.

However, at least according to the white paper, the LoJax UEFI rootkit does not use WPBT at all. Instead it uses an approach that seems to be inspired by older (pre-WPBT) versions of Computrace. [1] Specifically, it drops a binary "autoche.exe" into the filesystem, then modifies the registry to execute autoche.exe on boot instead of the normal autochk.exe (note that the last letter is different).

Thus, WPBT is irrelevant in this case. The malware hijacks Windows by modifying its filesystem, and if the authors cared enough to target Linux, they could hijack most Linux installations the same way (and all installations with a somewhat more difficult approach). But then, even if some piece of malware did decide to use WPBT when targeting Windows, it could still use the more elaborate methods to target Linux. At most, WPBT makes it slightly easier for UEFI malware to target Windows than it would otherwise be. But it really doesn't make much difference.

[1] To clarify: As the white paper describes, a later stage of the bootstrap, rpcnetp.exe, is actually copied from an older version of Computrace and merely patched to change the C&C server address. However, the UEFI part of the malware is custom, and merely uses a similar (but slightly different) overall approach. Computrace's own UEFI driver worked by actually modifying autochk.exe, whereas the malware modifies the registry to execute a different filename instead.

> I'm all for fanboying

You probably shouldn't be. All this "fanboying" annoys the hell out of people because faboys are constantly trying to sell linux as the solution to all problems, and then when people give them reasons why linux isn't a solution to their problems they get really defensive and start using canned excuses like "well it works for me", "you didn't pick the right distro", "normal users don't need that", "you need to research your hardware", "you have the source so you could fix it yourself", or even "Windows/MacOS have problems too!".

The community alone is enough reason to avoid linux.

note: in this instance, "linux" is being used as shorthad for "the GNU/Linux Desktop".

> You probably shouldn't be. All this "fanboying" annoys the hell out of people because faboys are constantly trying to sell linux as the solution to all problems ...

This is true for nearly anything imaginable, not just Linux.

> The community alone is enough reason to avoid linux.

If you selectively pick the worst of any given (tech related) community, you'd probably be using nothing.

> This is true for nearly anything imaginable, not just Linux.

Yes, it is, but that doesn't mean you should be doing it if you actually care about linux.

> If you selectively pick the worst of any given (tech related) community, you'd probably be using nothing.

I'm not selectively picking anything. This is the part of the community I am constantly exposed to because it is the part that evangelizes.

> I'm not selectively picking anything.

That's definitely why you're hanging out on a website built for armchair intellectuals. There's definitely no bias on the selection of people who visit and comment here. /s

You're making the assumption I was referring only to encounters on HN.

Clearly you've had some frustrations using GNU/Linux, and I'm sorry you've had to deal with that. It must be really upsetting to have your problems disregarded like that by other people, and not being listened to.

However, it's also quite inappropriate to completely ignore the main point of someone else's comment and vent all these frustrations on them for using the informal term "fanboying", and I don't think that doing so contributes anything to the current discussion about whether GNU/Linux is vulnerable to this rootkit.

It wasn't the use of the term fanboying I objected to, but rather the endorsement of said behavior.

Sorry you feel that way. Opinions like yours are job security for me.

Maybe against this specific vulnerability, but with firmware (e.g. Intel ME) running in ring -3, it could in principle inject itself into any (ring 0) kernel.

I can't believe I haven't heard of this before.

ekianjo's wikipedia link describes how it works: tracking is still done by a high-level software agent, the firmware part is there to make sure that it is present on the filesystem each time the machine boots, making it survive Windows reinstalls.

It's listed in many BIOS screens under "security".

So if my BIOS doesn't mention it I'm in the clear? Or is it just the case that some users have no way to disable/enable it?

You might be in the clear, but make sure you've traversed every menu and sub-menu in the BIOS configuration. One of my laptops -- I don't recall which, sorry -- has the settings located a few levels deep with some very unsuspecting terminology. Even when I was looking specifically for it (I knew it was in there!), it took me a few minutes to actually find it.

Also, WRT turning it off, there are typically two options: deactivate and disable. One is just "temporary" (in that it can be turned back on later), the other is (supposedly) permanent and "impossible" to revert. Make sure you choose the right one (for you).

Google your BIOS version strings, perhaps, or extract/dump and disassemble/unpack it.

Yup, these guys got a deal way back and built their business on it https://www.absolute.com

Doubtful, but true - though it _should_ not be preactivated. But sometimes it is. Not to mention the Lenovo "rootkit" which is quite widely known.

Wow, we've posted the same points within the same minute...

The Lo Jack stuff is a red herring. The main attack vector is SPI write protection bypass. I'm not sure what they used to get local root though. Once you can write to the SPI flash, you can write whatever you want, lojack or not. And this uses some old known vulnerabilities for SPI write bypass. There have been some of those over the years. I had to use one myself to bypass wifi whitelists in lenovo bioses. I don't think this would work on platforms with boot-guard though.

that's correct, something like SecureBoot would have prevented this as the signatures wouldn't have been able to be verified and therefore never proceeded.

No secure boot doesn't prevent this directly. Secure boot checks for the booting OS. Boot guard is what checks the booting BIOS.

Using flashrom [1] you can dump the contents of your SPI flash for the inspection and open the image with UEFITool [2]. Both tools are opensource and developed for years. Some people recommend to use chipsec [3], but it can less in terms of dumping and unpacking. The state of security in UEFI firmware is horrible, thing is overengineered and poorly written (bad code practices). Not to mention Intel ME/AMT/etc that also provide the easy way for attacker to persist and hide itself once compromised. Projects like coreboot [4] and vendors like Purism [5] allow the tighter control of your own hardware, but thanks to Intel it still has a lot of blobs of a bad code. Apple realized they can't trust Intel and other "BIOS" writers, so working on improving the security and codebase. Thus the state of affairs is slightly better on Macbooks. I believe x86 firmware world is beyond any hope to get any better and everyone should focus on building better hardware/architectures from scratch. Hopefully companies like Raptor Engineering [6] can shift the mindset of consumers.

[1] https://flashrom.org/Flashrom

[2] https://github.com/LongSoft/UEFITool

[3] https://github.com/chipsec/chipsec

[4] http://coreboot.org/

[5] https://puri.sm/

[6] https://www.raptorcs.com/content/base/products.html

> Computrace/Lo Jack is a legitimate application that is factory installed into the firmware of nearly every laptop in the world, of all varieties. The idea is that if your laptop gets stolen, you can find it, and/or wipe it remotely. This is obviously good, and useful.

This is useful, but not obviously good. It's good only if it's securely implemented, but as a user, I'm not sure. I've disabled Computrace on every laptop I own, and now stopped worrying about it after installing coreboot.

Kind of a shame that security houses are doing legitimate research, but the products they release just don't have the same effectiveness they used to. If sales of antivirus is dropping, where will they get their funding from? Perhaps there needs to be some new approaches to anti-virus. The old fire and forget method doesn't work anymore, and lots of people/organisations don't realise that yet. But it won't be like that forever.

> the products they release just don't have the same effectiveness they used to. If sales of antivirus is dropping, where will they get their funding from?

Anti-virus software was very easy to circumvent in the past. Getting the kernel32 address from the PEB, having your own PE loader and having most code xored with the Mersenne twister output in the data segment for obfuscation, as well as some runtime is_sandbox() heuristics and no AV would detect anything malicious.

Don't know if it got better or worse, but AV software was not very good at finding malicious code explicitly written to not run in plain sight in the past.

AV isn’t good at finding malicious code that hasn’t been discovered and classified but it’s also pretty unlikely that you’ll encounter one unless you are a high value target which is being actively targeted.

Having Windows Defender on is sufficient for the casual threats most people would encounter.

> it’s also pretty unlikely that you’ll encounter [malicious code that hasn’t been discovered and classified] unless you are a high value target which is being actively targeted.

This sounds much like survivorship bias to me.

No this is simply what they are good at it's like a vaccine it won't help you against mutations or something that was engineered but it's not a reason to not vaccinate when it's does cover a large number of other infectious diseases.

So unless you going to say that vaccination is survivorship bias because we don't have them against some diseases I really don't see your point.

Windows Defender will block virtually every common infection these are what most people get hit by, it will also block virtually all ransomware and you can see just how much the ransomware "market" got hit once they implemented it to see that it is effective.

Yes it won't protect you against NSA or some high end hacking group that writes completely custom malware to target single individuals but you are also not likely being the target of these.

But you are likely be target of the 1000's of known threats that are spread through driveby attacks, infected media and pretty old stuff you'll be surprised just how common 5 year old infections still are.

I thought Windows Defender detection is abysmal? Not the case anymore?

It never really had detection issues unless you count the very first versions for Windows XP https://www.av-test.org/en/antivirus/business-windows-client...

And for many things WD is simply much better than any solution this includes offline removal of rootkits (it can boot into a WinPE environment for a scan) and Ransomware protection where Windows Defender can restrict apps from accessing folders that tend to keep user data: https://cloudblogs.microsoft.com/microsoftsecure/2017/10/23/...

Basically if you have Windows 7, 8 or 10 keep Windows Defender on it actually does work.

They still have corporate clients that need AV for “compliance”, AV isn’t totally useless unless you are a high value target that said with Windows using anything other than Windows Defender is a waste of money these days for the casual known threat it’s good enough.

If you share removeable media with other people and have people who use your computer or on your network that aren’t exactly security conscious it’s not a terrible idea to have it enabled.

Can’t say for all of them; but a lot are silent via being consultancies.

Worth noting this important caveat mentioned in the article:

> "The tool described above is able to update the system’s firmware only if the SPI flash memory protections are vulnerable or misconfigured. Thus, you should make sure that you are using the latest available UEFI/BIOS available for your motherboard. Also, as the exploited vulnerability affects only older chipsets, make sure that critical systems have modern chipsets with the Platform Controller Hub (introduced with Intel Series 5 chipsets in 2008)."

Is it a vulnerability in the SPI chip itself, or is the master allowing writes that it shouldn’t ?

Does the SPI chip have a write protect line? Or could it be subbed with one that does?

FWIW, some BIOSes have a setting to disable "remote" firmware updates -- although I certainly cannot speak for how reliable that is (and, judging by past experiences, it isn't very reliable at all).

I miss dearly bios write protect jumpers on motherboards.

The root of the problem that old BIOSes wrote their configuration into the CMOS memory, while all UEFI-based firmware storing configuration right in the SPI flash itself. Changing the values of variables every boot, sometimes performing "garbage collection" for compressing the size. Moreover, ME-like systems also write into the flash, sometimes even logging events. Every single boot, this is how it was designed.

This is very interesting, to be sure, and I commend everyone involved for their work in exposing this stuff. But does anyone else get irked by the style of writing? He’s alternating between implying complete assuredness and being excessively vague:

> (2) The perps are probably a Russian hacking group (military, KGB, FSB, or something similar), known by a bunch of names, but I call them Fancy Bear, for no particular reason other than it was the first name I knew them by, and it's a neat name. These are the same guys that (probably) broke into a factory in Taiwan in Feb 2018, and modified firmware in a bunch of computers, headed for the German government.

How could he possibly be so sure (that he implies) that this is the same group? Sure, he adds a couple of “probably”s, but the style is completely undoubting.

Then, later:

> (6) Interestingly, the modus operandi of the Lenovo rootkit and the modified Lo Jacks, are _remarkably_ similar. This might be pure coincidence… or … maybe something else.

Maybe what? Why is he being cagey about what it could be? It looks like he wants the reader to feel like the “in”-group who knows what he means, but in reality nobody does.

I didn't get the impression that he was trying to imply anything beyond what he wrote... I think it was very clear that such speculation had no backing and was purely that- speculation.

I wish there was a reset button on the back of every computer that would reliably erase all memory and bring the computer back to its initial state.

You've never had to help a family member with their computer, have you? Maybe a switch on the motherboard, buried inside the case.

You are probably talking about data loss. That's what online backup is for. My recommendation to non-technical people is to do what I do: have one four-word password that unlocks the computer, their password manager, and the online backup. Typing the password every day to unlock the computer makes super sure they won't forget it.

But yes, not letting people reset their computer by accident is just good user interface.

How can one determine if LoJack is present on their laptop (Linux user here)...

These blogs are not very good. Here is the PDF about this vuln.


I don’t know why security-conscious people would willingly load a PDF but there you go.

Are you saying PDFs are a threat? More so than a web page?

Slightly OT, but you would be surprised at how much power PDFs have (especially when opened in Adobe Acrobat/Reader). I recently came across this monstrosity[1] on HN, and the author mentions this:

> Scripts can supposedly do things like make arbitrary database connections, detect attached monitors, import external resources, and manipulate 3D objects.

That's an unprecedented level of power for what is supposedly a simple document format.

That being said, PDFs are only a threat when opened in a with support for these obscure APIs, such as Adobe's own readers. You (probably) will be fine opening untrusted PDFs in Chrome's PDF reader (PDFium) and Preview.

[1]: https://github.com/osnr/horrifying-pdf-experiments

Note; Chrome's PDF reader executes the nested JS in his breakout PDF game. IIRC, the only one that did support it.

Not that PDFium is any worse than Adobe, but certainly not much better.

Thanks! I also heard it's got a email sender (and receiver?) inbuilt.

You should totes makes this a top level HN post!!!! (I typed in my statutory copied one line NeWS program back in the day too. Never again)

There were multiple vulnerabilities related to PDF parsing in Adobe/Acrobat Reader/, firefox (pdf.js) and document viewers(libpopler, Okular). Also, there was a "game of life" implementation in PostScript and you can expect same level of capabilities in PDF.

PostScript at least has the excuse that it _is_ a programming language (for assembling documents for printing, but still a proper programming language) while PDF is supposed to be a fixed document format. PDF has far too much power for what it is supposed to do.

Microsoft got it right with (O)XPS -- none of that dynamic stuff that lets you do all kinds of naughty things to the system with a properly formed document like PDF can do.

> Microsoft got it right with (O)XPS -- none of that dynamic stuff that lets you do all kinds of naughty things to the system with a properly formed document like PDF can do.

On the other hand, they also get it wrong with other things and we end up with SYSTEM-level compromises due to a vulnerability in a font!

That of course depends on what you think it’s supposed to do.

PDF is not just a representation of paper, you can for instance also build forms.

It would be nice if there was a separate ‘static paper’ only extension/mime type but there isn’t.

The pdf format is essentially an executable. Whether or not the browser sandboxes it correctly is a matter of debate.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact