Posts Tagged “PDF”

05 01 2011

Danger Lurks in PDF Documents

Posted by: Glenn Bolton in Internet, News, Security, tags: , , , , , , , , ,

At the 27th Chaos Communication Congress (27C3) in Berlin, security researcher Julia Wolf of US company FireEye pointed out numerous, previously hardly known, security problems in connection with Adobe’s PDF standard. For instance, a PDF can reportedly contain a database scanner that becomes active and scans a network when the document is printed on a network printer. Wolf said that the document format is also full of other surprises. For example, it is reportedly possible to write PDFs which display different content in different operating systems, browsers or PDF readers – or even depending on a computer’s language settings.

Many businesses and authorities use PDF as their standard file format for maintaining presentation consistency across heterogeneous computer environments. According to Wolf, however, the PDF standard has long had too many functions that can be exploited to launch attacks and wreak other havoc. These functions range from database connections without security features to options that can blindly trigger the execution of arbitrary programs in Acrobat Reader. The researcher said that other risks are generated through the support of inherently insecure script languages such as JavaScript, formats such as XML, RFID tags and digital rights management (DRM) technologies. According to Wolf, Adobe itself calls PDF a “container format” which may indeed hold a variety of things. For example, it is possible to integrate Flash files, which themselves offer many points of attack, as well as audio and video files.

Wolf said that there are generally many places for hiding arbitrary data and code in a PDF. The researcher explained that, for instance, all document and meta data can be read and edited via JavaScript. Even files compressed in formats such as ZIP, which allow further arbitrary objects to be embedded via comments, can reportedly be integrated. Wolf added that it is also possible to generate very small PDF files which only execute JavaScript, and that certain objects can be referenced multiple times to trigger different responses when opening a file.

In the researcher’s experience, the security debacle is made worse because most anti-virus programs are incapable of detecting malicious software in PDFs. When running tests with various known exploits, Wolf said that more than half of the 40 scanners she tested didn’t respond, even in cases where the corresponding advisories were several months old. When malicious code in JavaScript is compressed, the detection rate is apparently even lower.

Update - Adobe see the sandbox introduced with Reader X (Reader version 10.0) as the remedy for these problems, which allows code to be executed separately in ‘protected mode’.

Other security experts recommend using special tools to remove meta data from PDFs or check the file syntax for conformity issues beforehand.

Comments No Comments »

26 06 2010

The President’s Cancer Panel

Posted by: Glenn Bolton in Environment, Health, tags: , , , , , , ,

Last month, something remarkable occurred.

A US government panel stood up and pointed out the link between environmental toxins and cancer.

Wow… what were they thinking? (smirk & tongue firmly in cheek)

I have been saying this for years. How come it took so long for them to learn that the “earth is not flat?”

In a comprehensive, 240-page report, the President’s Cancer Panel declared that Americans are being “bombarded” with cancer-causing chemicals, and that “the true burden of environmentally induced cancers has been grossly underestimated.”

When a mainstream government entity breaks ranks with the traditional medical establishment to report that environment chemicals are threatening our health, it is a truly astonishing event – and a warning we should all heed.

While this report comes from a US government panel, environmental toxins are a global issue. And, according to the World Health Organization, deaths from cancer worldwide are projected to continue rising, to an estimated 12 million in 2030.

Download and read the whole report (PDF)

Executive Summary

Despite overall decreases in incidence and mortality, cancer continues to shatter and steal the lives of Americans. Approximately 41 percent of Americans will be diagnosed with cancer at some point in their lives, and about 21 percent will die from cancer. The incidence of some cancers, including some most common among children, is increasing for unexplained reasons.

Public and governmental awareness of environmental influences on cancer risk and other health issues has increased substantially in recent years as scientific and health care communities, policymakers, and individuals strive to understand and ameliorate the causes and toll of human disease. A growing body of research documents myriad established and suspected environmental factors linked to genetic, immune, and endocrine dysfunction that can lead to cancer and other diseases.

Between September 2008 and January 2009, the President’s Cancer Panel (the Panel) convened four meetings to assess the state of environmental cancer research, policy, and programs addressing known and potential effects of environmental exposures on cancer. The Panel received testimony from 45 invited experts from academia, government, industry, the environmental and cancer advocacy communities, and the public.

This report summarizes the Panel’s findings and conclusions based on the testimony received and additional information gathering. The Panel’s recommendations delineate concrete actions that governments; industry; the research, health care, and advocacy communities; and individuals can take to reduce cancer risk related to environmental contaminants, excess radiation, and other harmful exposures.

Download and read the whole report (PDF)

Comments Comments Off