Adobe’s popular PDF file format–known to anyone who’s ever called up a tax form on the IRS Web site–has generally been considered immune to viruses. But a new virus carried by programs embedded in PDF files raises concerns that the format itself could become susceptible.On Tuesday morning, Network Associates’ McAfee antivirus division became aware of the first virus–known as “Peachy”–that uses PDF to spread, said Vincent Gullotto, senior director of McAfee’s Avert group.
Fortunately, those who are simply viewing a PDF, or Portable Document Format, file aren’t vulnerable. The virus spreads only by way of Adobe’s Acrobat software–the program used to create PDF documents–not through Acrobat Reader, the free program that is used to view the files.
“There is no way for this to affect Acrobat Reader,” said Adobe’s Sarah Rosenbaum, director of Acrobat product management. “The code in Acrobat that recognizes attachments does not exist in Reader.”
Peachy exploits an Acrobat feature that allows people to embed other files within a PDF–attachments that can be opened only by people using Acrobat.
“Right now it’s considered to be a low risk because we haven’t seen it reported to us from a customer,” Network Associates’ Gullotto said.
But the Peachy virus raises the issue that PDF files–widely used to display documents within Web browsers and e-mail–could become a new channel for spreading viruses.
“What I’m concerned about here is that this could be a new frontier,” said Richard Smith, chief technology officer of the Privacy Foundation. “It’s considered to be a safe file format.” Smith posted news of the virus to the Bugtraq security mailing list Tuesday.
It’s clear that if Adobe modified future versions of Reader so that it could read attachments embedded in PDF files, the program could fall victim to Peachy’s descendents.
Rosenbaum said that while it’s possible Adobe might add attachment-handling capability in future editions of Acrobat Reader, the company has no immediate plans to do so.
Smith said he believes Acrobat Reader software could prove susceptible in any case. Indeed, the Computer Emergency Response Team posted news of a vulnerability in the Windows version of Acrobat in November 2000 that could let an outside attacker gain control over the computer of a person who simply viewed a PDF file. Adobe patched that hole.
Adobe said any popular software becomes a target for security attacks and Acrobat has crossed that threshold.
“I think the attraction…has reached a critical level recently,” Rosenbaum said. “It’s only been in the last 18 to 24 months that PDF…use has really exploded.”
How Peachy works
Acrobat lets people embed different file types within a PDF, including everything from the VBScript programs–used in the LoveLetter virus–to an actual executable program, Gullotto said.
Peachy is named after a small game in a PDF file that involves finding peaches, Gullotto said. According to a person called Zulu, who said he wrote Peachy, showing the solution to the game runs a VBScript file.
The virus then spreads to others using e-mail addresses collected from Microsoft Outlook, Gullotto said. Hiding the VBScript file in a PDF document bypasses the filters in newer versions of Outlook that ordinarily screen out VBScript files.
However, these more recent versions of Outlook, such as Outlook 2002 or those that have been patched with a security update, do take measures that hamper viruses such as Peachy, said David Jaffe, lead product manager for Microsoft Office. Although PDF files–and whatever embedded programs are hidden in them–aren’t screened out, Outlook warns the user when a virus or other automated process tries to access Outlook’s address book or use the program to send e-mail, Jaffe said.
Through an agreement with Adobe announced in June, McAfee’s software can scan PDF files, Gullotto said. However, as with other virus types, the software isn’t always able to catch new viruses until its definitions are updated.
Updated virus descriptions released by McAfee next week will be able to detect Peachy, Gullotto said.
But Adobe doesn’t currently plan to prevent VBScript or other files from running.
To prevent Peachy from being able to run, “the change we would have to make is not to allow VBScript attachments. That is a problem for a lot of our customers,” Rosenbaum said. “If they change their opinion, we will do what they want.”
People with the full version of Acrobat will have to exercise caution when opening attachments to PDF files. However, opening attachments isn’t automatic: A cautionary dialog box asks if a person wants to proceed.