Updated: February 15, 2010
PDF security sounds like a rather obscure topic. And it is. For the vast majority of computer users, PDF documents are simply a medium of information. Unfortunately, they have become much more than that.
PDF documents have evolved to a point that they have become interactive applets, loaded with scripts and whatnot, all of which significantly enhance the user experience, but which can lead to potential issues when misused. Twined with popular PDF software, frequently targeted and abused, opening PDF documents can become a security issue.
We have talked about PDF vulnerabilities and possible mitigations in the previous article. Truth to be told, with some forethought, trouble can be avoided quite easily. Run your operating system with reduced privileges, use alternative programs and stick to reputable sources of information and you should be fine. There's no panic, really. In fact, you may want to ask why would I want to write this article, after my last piece.
Well, today, I'd like to present the topic of PDF security from another angle. While all of the methods mentioned in the first article are generic, default-deny techniques that work well always, they do not tell us anything about the file in hand. In other words, we might be working with a "bad" file, without ever knowing. There might be no risk posed to the system, but it does not eliminate social engineering. Furthermore, if you're using a properly configured system, you do not care about what files you use or open, but what if you forward bad things to your clueless peers? Here's an example: Linux users; they need not care much what files they open and use on their system, but forwarding possibly infected files to their Windows friends could lead to a few embarrassing moments.
The best solution is to have no friends, this way you won't be forwarding any bad stuff to anyone, but since people do tend to have friends, we will discuss the more analytical approach to PDF software. The material presented today does not replace the lessons learned in the first article; it complements them - well.
Let us begin.
Healthy usage practices
In my article Safe Web practices, I've outlined the few methods the average users can deploy to try to analyze the level of goodness of files they have just downloaded and wish to run. They revolve around online multi-scanners, asking for help in forums and some happy Googling. This is by no means the perfect way of handling things, unfortunately, sometimes it's the only way. When someone wants to run a file, they will run it. The best thing you can do is try to somehow to convince them to make a few perfunctory checks before executing the file.
The big problem with any sort of scanning is that you may flag the file as bad. But you can never flag a file as good. Many people do not understand this; instead they swear by their anti-virus as the holiest solution to all. I want to emphasize this point: if your anti-virus flags a file as bad, it's the lesser of all evils. When there's a doubt, there's no doubt. But what if this software flags a file as clean? Is it clean? No. This merely means it was not flagged as bad. That is all.
This is why the whitelisting - or default-deny - approach is the best way of handling threats of all kinds. Everyone is an enemy except the few select friends. You treat everything as bad and slowly, carefully let choice bits into the circle of trust.
My PDF vulnerabilities article was all about whitelisting. The problem with whitelisting is that you're simply unaware of any problems that may or may not exist. You swing happily by, ignorant of any woes that may plague others.
This is where blacklisting comes in. Blacklisting, also known as default-allow, is a method where you keep long databases of bad things, periodically updating the list. Then, tools, like anti-virus scanners, use these databases to try to identify malicious code. They run signature detection patterns against executable code and report back to the user. The method is rather Don Quixotic, but it's become a norm and people will do anything they're told, as long as it's a norm.
Blacklisting is like the law enforcement. Most people are considered innocent until proven guilty. Whitelisting is more like 1984. You can read a rather philosophical article on this topic, if you're inclined.
In the software world, whitelisting wins - and it would not be that bad in society either. Blacklisting is rather ineffective. However, when the two are combined, you can achieve some pretty interesting results. When you top icy cake of whitelisting with a blacklisting cherry, you get a very useful formula.
Whitelisting makes you happy. Blacklisting makes your friends happy. You keep your machine in a good state and you avoid sending junk to other people, shortening the cycle of spam and malware. It's like being Superman and testing the Swine flu vaccine for the sake of others.
We've talked about these at length before. You should definitely take a look at my article on the subject, addressing the most common attack vectors and the very simple ways of mitigating them, first and foremost by exercising caution and patience.
Now, if you want to get technical and use blacklisting, regardless, here's a set of tools that should aid you.
PDF scanners, what they be?
Indeed. Most people have never heard of any tools that handle PDF files specifically. You might get some luck with conventional anti-X scanners advertising their holy capabilities all over the place, but there are few dedicated tools that handle PDFs.
Until recently, PDF files were not considered interesting. But the combination of powerful scripting and Flash with PDF created a breach that can be exploited fairly well. Worse yet, the most popular PDF and Flash software come from one and the same vendor - Adobe, so when you have an issue with one, you will probably have an issue with the other, too.
Mitigating PDF threats have left many paranoid Windows users with lots of panic and few solutions. Running a limited account and using alternative software solves the problem, but few people are willing to try these remarkably simply concepts.
Recently, a number of PDF security tools have arisen, offering Windows users some way of trying to identify bad files. I say again, whitelisting is the preferred way of doing things. Now, let's examine these tools:
And here's what a sample report looks like:
This is by no means perfect, but it can give you an indication of what this is all about. Remember, when there's a doubt, there's no doubt.
However, PDFiD is a command-line python script, so you will have to have Python installed and invoke the tool from the command line. No fancy GUI. Like Wepawet, this tool is young and green and can have its glitches, but it gets the job done.
Here's the command:
PDFiD -d <filename>.pdf
To the best of my knowledge, and I could be mistaken here, PDFiD is included in the VirusTotal scanner list, so if you perform an online scan against a suspicious file, you'll have 20+ tools verify the integrity of the uploaded content, including PDFiD.
In general, that would be all for today. For super geeks, here's some more reading:
This article won't turn you into a PDF special forces trooper or anything of that sort. But it does provide you with basic tools for trying to identify possibly undesired files. The tools are far from perfect or intended for massive use, but if you're reading this article, you're probably not the average computer user.
For the millionth time, if you don't like the file, don't run it. Best of all, in order to avoid self-inflicted mistakes caused by an itchy finger, use alternative applications and stick to the concept of least privilege. This way, even if you do execute bad files, they have will a much lesser scope of damage.
I would recommend using Wepawet and PDFiD when sending files you just have to send to your less savvy friends with nasty computer usage habits. In the long run, you will probably not make that much difference, but at least you will have made your best effort.
Stick to whitelisting and use blacklisting when handling suspicious files in transit. I hope you liked this article. If you have something wise do add, don't be shy, send an email. See ya around.