September 29, 2016

New Security Issues in Adobe’s PDF Standard

The security researcher Julia Wolf from FireEye pointed out numerous security issues in connection with Adobe’s PDF standard at the 27th Chaos Communication Congress (27C3) in Berlin.

The 22nd Chaos Communication Congress (22C3) is a four-day conference on technology, society and utopia. The Congress offers lectures and workshops on a multitude of topics including (but not limited to) information technology, IT-security, Internet, cryptography and generally a critical-creative attitude towards technology and the discussion about the effects of technological advances on society.

According to Wolf, PDFs are currently the greatest vector for drive-by (malware installing) attacks and targeted attacks on business and government. A/V technology is extraordinarily poor at detecting these. The PDF format itself is so diverse and vague, that an A/V would need to be 100% bug-compatible with the parser in the vulnerable PDF reader.

More information is available at the conference website and in the presentation slides(PDF).