April 6th, 2010

Warning: Self-Improving Software

Public Service Announcment: PDF Vulnerability

Vulnerability found that allows PDF documents to run arbitrary code.

There's no hacking, cracking, or exploits here: this is just using features built into the format.

I just opened the test file using Adobe Reader under Ubuntu 9.04, and nothing popped up. This seems to be another Windows-Exclusive feature, brought to you by the fine folks in Renton. Any Mac users out there to try it?

Thanks to theweaselking for pointing this out. I'm just passing on the word.

Edit: aeto and theweaselking have pointed out that, of course, the embedded command in the text file is, specifically, a Windows command. Of course it's not going to work in Mac or Linux.

The question is, if the function call is replaced by the appropriate 'Nix command, will it work? And if it doesn't work, is that due to "superior OS security", or just the erratic feature support that us Linux users all bitch about when it interferes with things we want to do, and gloat about when it interferes with potential hazards?

I lack the 'Fu to make the appropriate test files myself, but one of the commenters linked to a file that includes the commands for Windows, Mac and Linux.

Using that, under Ubuntu 9.04:

In Evince: nothing.

In Acrobat Reader 9.3.1: warning pop-up, but nothing opens when I click the button to allow it to open.

I've confirmed that xcalc is, indeed, in usr/bin/, as the text file assumes.

So: is this a Linux security feature, or a Linux compatibility bug?

I need a real warning icon for posts like this.