Didier Stevens, security professional and blogger, has found a “feature” in the PDF file format that makes it possible to package an executable in a PDF file which will run in Foxit PDF reader or run in Adobe Reader with a bit of social engineering.
“…preventing Adobe Reader from creating new processes blocks this trick,” he said.
“In this case, Foxit Reader is probably worse than Adobe Reader, because no warning gets displayed to prevent the launch action. My PoC PDF requires some changes for Foxit Reader, because ultimately, the executable doesn’t run. But that’s probably due to some variation in the PDF language supported by Foxit Reader.”
Stevens has made available a proof-of-concept sample and said he notified Adobe’s product security incident response team.
Until this is solved, it would be a good idea to READ any notification that pops up when you open a PDF file and DO NOT let yourself be social engineered into disregarding warnings about launching executables.
Stevens’ blog piece here.
Foxit issued an update to fix the problem (Foxit Reader 3.2.1): http://www.foxitsoftware.com/downloads/index.php
The patch fixed Foxit’s vulnerability to the POC code written for it, but now it’s vulnerable to the POC exploit written for Adobe! Story here.