Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: SDF, please! - Internet Security | DShield SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
SDF, please!

"We're under a targeted malware attack!", a friend of mine yelled into the phone. "We are getting lots of oddly named PDFs, attached to personalized emails, sent only to certain employees in our firm!". From some past experience with chewing through our nasty malware repository here at SANS ISC, I had learned a thing or two about malicious PDFs, so I agreed to take a look.

One hour later, it was clear that the PDFs in this case were free of any exploit, completely harmless, and contained only the average "I AM A COUSIN OF THE LATE ZESKEKE NGAGWENE" type of Nigerian 419 (advance-fee) fraud spam.

But the whole episode gave me pause. It really looks like the past two years of never ending new waves of PDF exploits have degraded PDF in the mind of every security analyst to a level somewhere at par with ANI and SCR files: No matter what it claims to be, it ain't nothing good.

I very much agree with Stephen Northcutt's comment in SANS Newsbites two months ago. He asked: "Is there an alternative to a .pdf? It was supposed to be a printable image of what you saw on the screen. At least that was the idea 15 years ago. It should not need "launch" functions to do that. Do you remember five or six years ago, you weren't supposed to send an excel spreadsheet or a word document because they might contain malware, you were supposed to send a .pdf. Guess that has changed!"

Time for SDF - the Safe Document Format. You know, one that just supports pixels in various shades of gray, and does not need to include the ability to play a movie in 3D accompanied by surround sound. Just a nice plain document that can be opened, read and printed, without any of the nagging feeling of dread that nowadays accompanies clicking on a PDF.

Anyone?

 

Daniel

367 Posts
ISC Handler
We already have one; it is called ".JPG" (or ".GIF").
Anonymous
I'd be happy to see pdf die a quick death
Greg

25 Posts
Rather than worry about most exploits, I just disable most of the features by removing files in programfiles\Adobe\Reader 9.0\Reader\plug_ins. You can even modify the install package so upgrades don't put them back. If you do that and remove perms to authplay.dll (Flash) then Reader isn't *so* bad.

Maybe we could bring back PostScript, but that's turing-complete, and since they can't sandbox Reader I doubt they can sandbox PostScript.
Anonymous
Check out PDF/A format:
http://en.wikipedia.org/wiki/PDF/A
Also, PDF was always about more than "a printable image of what you saw on the screen.". The troubles really started when the singing and dancing extensions were added to later versions and software.

A valuable contribution to security would be an open source PDF reader that did not implement the dangerous stuff.

And Steve: Postscript has had very dangerous features (worse than Turing-completeness) for a long time. Doesn't mean they need to be implemented! SafePDF built on top of SafePostscript with sufficient backward compatibility ... One could hope.

A valuable contribution to security would be an open source PDF reader that did not implement the dangerous stuff.

And Steve: Postscript has had very dangerous features (worse than Turing-completeness) for a long time. Doesn't mean they need to be implemented! SafePDF built on top of SafePostscript with sufficient backward compatibility ... One could hope.
Anonymous
i like the pdf/a limitation idea, also png image but my alltime favorite is still ascii :')

its sad that one of the more reliable formats has been retooled to continuously add complexity. adobe reader is just gigantic lately lol.
joco

8 Posts
How about DjVu (http://en.wikipedia.org/wiki/Djvu)?
Philipp Brenner

2 Posts
A was thinking, what about multipage TIFF ? Our fax machine is sending dozens a day, and it does the job.
Philipp Brenner
1 Posts
For important documents there is nothing wrong with using plain text. Various GIF/JPEG/TIFF libraries have suffered from buffer overflows, and any interpreted format will eventually be bastardized by the sales critters to be able to do singing/dancing 'Corporate Image' impressions. And the cycle starts again.
Philipp Brenner
2 Posts
I wonder if anyone has done a study on how much use all the extra features get. How many PDFs actually have embedded multimedia? I've never seen one. 3D animations? Not here. Maybe if it could be demonstrated that no one cares, a lot of the cruft could be made optionally installable components, not part of the standard install.

@cynic, but how can I use Comic Sans in my important document if it's in plain text? :-)
Paul

44 Posts
How about text files? Plain text, formatted with line breaks, carriage returns, punctuation marks, and whitespace.
No Love.

37 Posts
I haven't studied the PDF format, but is it possible to create a pre-processor to strip out the troublesome enhanced features and pass the results to your PDF reader of choice... or, are the vulnerabilities spread throughout the code to the extent as to render the original intent of a portable true image to be effectively impossible.

I'd be willing to spend a nominal amount for a small utility if I was reasonably assured that it would help prevent exploits.
No Love.
1 Posts
@Rex For an Open Source PDF reader for Windows, check Sumatra PDF Viewer (http://blog.kowalczyk.info/software/sumatrapdf/index.html)
No Love.
1 Posts
Given the widespread fear of PDF email attachments, it seems peculiar that a 409 scammer would use them. On the other hand, a truly crafty scammer would attach a clean PDF to prove his trustworthiness. (Yeah, it's a Princess Bride reference...)
PhilBAR

24 Posts
You know, if all you folks in the big Fortune 500s instituted a ban on .pdf, it would hurt you for a time but really would send a clear message to Adobe that we aren't living with this mess any longer and I bet before long, they'll change, especially when the next versions corporate sales are 0.

I tell people up front don't send .pdf cause it will be dropped by our mail server. Don't send doc, don't send rtf, I do not need your companies pretty letterhead to know where it comes from, send plain text. Does it work, most times. I do have to explain occasionally how to save it as text.
Greg

25 Posts
The problem with substituting JPG or PNG is PDF documents are usually *not* just images of text (although they can be). They're text with formatting, which means unlike pure image formats they can be searched, cut-and-pasted, and filled out as forms.

Also, it's not as if the pure image formats are automatically safe. It seems like every couple of months someone finds a security flaw in one of the common image-handling libraries.
Anonymous
I have always hated PDF - in many cases it is basically used because of laziness on the part of the sender, and the contents could just as easily be rendered in html.

The thing that annoys me the most is that whenever I click on a PDF attachment, I have to wait for the Acrobat Reader to start up, phone home to check for updates and who knows what else.
Eric

43 Posts
I noticed that you can create text fields within PDFs, for application forms and such, so that the user can fill them in and submit them back to some HTTP service. And hyperlinks, JavaScript, and vector graphics are often embedded too. It occurs to me -- why bother? Why not just write the damn thing in HTML?

A unique, static URI to a document, preferably HTTPS if it's sensitive, can be bookmarked or drag-n-dropped somewhere as an Internet shortcut quite conveniently, and opened or printed just like a PDF document.

It's becoming less important to be able to save documents for offline use, anyway. And most browsers make it easy enough to save HTML documents to disk if you really need to. I think Firefox even lets you export an HTML page to disk as an PDF document, in case you have a real fondness for them.
Steven C.

171 Posts
Ok, this might seem stupid, but have you considered the Microsoft XPS Document format? I have not used it, but so far as I can tell, and so far as I have read, the specification does not appear to support active content. It's also an ECMA standard, if that matters.
Steven C.
1 Posts
The problem with gif, jpg, png etc. is that you can't get a machine readable document out of them. At least PDF can be translated into other formats like plain text, comma delimited text, excel, html and even DOC formats. These formats can then be parsed and used as input to databases etc. Just plain images are very hard to translate and parse. I use Linux and have never had a problem with malicious PDF files (and for that matter any malicious material).

I do agree that the PDF readers are too complex and could be dangerous if you are running Window, but then everything is dangerous if you run Windows!
barton

1 Posts

Sign Up for Free or Log In to start participating in the conversation!