PDF files have become the de-facto standard for sending documents. We think of them as being relatively innocuous because they are generally not editable. The specs for these documents are very powerful, though. Contained within these specifications is the power to run code within the document. If that sounds a little scary – it should.
The native code-execution features of PDF files are supposed to be sandboxed. We have seen, though, that a “sandbox” is not the digital equivalent of a maximum-security prison. There have been several instances where Java code has managed to “escape” from the sandbox.
The bottom line – advise all clients to be very cautious about opening PDF files, especially those that are unexpected or from untrusted sources. Attacks have been surfacing in the wild and we may reach the point where even PDF files from trusted sources are a threat.
Both Adobe and Foxit are scrambling to address this issue. In most cases, Adobe (and now Foxit, with the latest patch) will warn before executing code, but the attacker can manipulate the text in the warning dialogue, so there will be efforts to trick users into allowing the code to execute. Warn clients about this!!!
Dennis H in West Virginia, US
April 07, 2010