[22156] in bugtraq
Re: Adobe PDF files can be used as virus carriers
daemon@ATHENA.MIT.EDU (Lars Hecking)
Thu Aug 9 13:52:06 2001
Date: Thu, 9 Aug 2001 10:20:50 +0100
From: Lars Hecking <lhecking@nmrc.ie>
To: bugtraq@securityfocus.com
Message-ID: <20010809102050.C21373@nmrc.ie>
Mail-Followup-To: bugtraq@securityfocus.com
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
[Moderator: reposted as requested by da@securityfocus.com]
> What this means is that virus scanners will now need to "reach inside"
> PDFs to scan encapsulated files. But what -- as I'm sure our Russian
> friend Dmitri would ask -- if the PDF is encrypted? Wouldn't the
> virus checker have to defeat the encryption to see the encapsulated
> file? And would it be an illegal "circumvention" mechanism if it did?
So what? The problem is not new - it already exists with zip files, and
generally with all types of encrypted files.
Here's e.g. what Sophos sweep tells you when encountering an encrypted
zip file (here, it's inside an self-extracting zip archive.
Aug 3 17:27:29 localhost amavis[16194]: Password protected file /tmp/amavis-10411997/parts/msg-16194-2.exe/SfxArchiveData/SETUP.WZ/WINZIP32.EX_
I would be extremely suspicious about "encryption" that can be circumvented
by, say, a virus scanner.
Is encryption really the problem as far as viruses are concerned? I'd say
it is not. Decryption requires manual intervention by the user, and after
that the problem is the same as before: applications that execute stuff
automatically by default, or make it easy to circumvent any safeguards
the user may have set.
The new threat is that a hitherto unused file format is now used as a vector.
Big deal.
