This looks like it's on topic and might make some interesting points, but it's just plain tl;dr, and the formatting doesn't help. I read the first paragraph or two, clicked over to the description of the attack being referenced, and then couldn't make it through the rest of the wall of text. If it's really as concise as it can get, I would recommend substantially reducing the column width.
(This is intended as constructive criticism, not Internet rage, but I'm open to constructive criticism of my methods for same.)
Basically: in the dystopia that is the Internet, all PDFs could be considered a potential exploit vector by incident response teams cleaning up a corporate malware infestation. Discussed is a plausible scheme (edit: with a PoC) wherein all PDFs with write-access by the victim on a given system are infected virally with the same PDF/Launch code as the initial infected PDF. The result being even after a clean re-image and restore of all seemingly-harmless files, the infected PDFs remain and re-infection is likely.
It's no secret that PDF/Launch can be used to execute an attached binary. Didier's work shows a way to modify the dialog box's contents that ask for the user's approval to launch, giving the attacker the ability to craft a much softer-sounding "ok/cancel" situation or one that is more likely to result in the user allowing the attachment to launch.
As an info-sec guy, and with all the Adobe crap lately, I have to say that the article's author's opinion: "Do you really think the incident response team will suspect every single PDF file on the user’s computer as being involved? I seriously doubt it." doesn't hold much water. I might very likely suspect PDF as the attack vector and would likely refuse to restore these files without taking a much closer look at them.
2 comments
[ 2.8 ms ] story [ 26.4 ms ] thread(This is intended as constructive criticism, not Internet rage, but I'm open to constructive criticism of my methods for same.)
It's no secret that PDF/Launch can be used to execute an attached binary. Didier's work shows a way to modify the dialog box's contents that ask for the user's approval to launch, giving the attacker the ability to craft a much softer-sounding "ok/cancel" situation or one that is more likely to result in the user allowing the attachment to launch.
As an info-sec guy, and with all the Adobe crap lately, I have to say that the article's author's opinion: "Do you really think the incident response team will suspect every single PDF file on the user’s computer as being involved? I seriously doubt it." doesn't hold much water. I might very likely suspect PDF as the attack vector and would likely refuse to restore these files without taking a much closer look at them.