In the last period of time malware authors started focusing more and more on exploiting Adobe Reader (and ultimately users computers) via maliciously crafted documents. And vulnerabilities in Adobe Reader have been quite a few lately.
Adobe Reader oriented attack was also the malicious injection on my last hosting service…
In the recent issue of (in)SECURE Magazine, namely issue 21, there is an article named “Malicious PDF: Get owned without opening” by Didier Stevens which shown an exploit in an Adobe Reader filter which made possible successful exploitation without file opening.
When a PDF document is listed in a Windows Explorer window, the PDF column handler shell extension will be called by Windows Explorer when it needs the additional column info. The PDF column handler will read the PDF document to extract the necessary info, like the Title, Author, etc. (…) Under the right circumstances, a Windows Explorer Shell Extension will read the PDF document to provide extra information, and in doing so, it will execute the buggy code and trigger the vulnerabilityOther ways how the exploit could be launched (from the explorer window) where by: selecting the pdf (left click), hovering over it and changing the folder view to “Thumbnail”.
All these previous exploitation scenarios required minimal user interaction, but the author had another card in his pocket. The JBIG2Decode vulnerability could be exploited by the Windows Indexing Service alone, the only difference being that this way the exploit would run with less privileges; namely with Local System ones…
There you have it, another reason to switch to a pdf reader alternative.
UPDATE: a resourceful article about pdf exploitation can be found here.