There’s a common complaint in the antivirus community, this time about PDF and Adobe Reader, the new frontier for viruses, worms and other cyber creepy-crawlies.
Case in point: a post on the Avast! blog entitled: Another nasty trick in malicious PDF. Following an innocuous quotation from an out-of-date version of the PDF Reference, the author says:
“That’s another surprise from PDF, another surprise from Adobe, of course. Who would have thought that a pure image algorithm might be used as a standard filter on any object stream you want? And that’s the reason why our scanner wasn’t successful in decoding the original content – we hadn’t expected such behavior. To be fair, any data (text or binary) can be declared as an monochrome two-dimensional image – that’s the reason why JBIG2 algorithm works here.”
Why is this a surprise? It is common practice since PDF was released in 1993 to use multiple filters to encode streams in a PDF file. Multiple filters on a stream has always been part of PDF. If virus-scanning software claims to scan PDF files, that implies the developer has read the PDF Reference and knows how to parse the PDF format.
PDF files aren’t exactly unusual – they’re everywhere! Google counts almost 300 million PDF files online, and there are billions more in banks, government agencies, and elsewhere. Given the popularity of PDF for well over a decade, there’s nothing in the PDF Reference that should come as a “surprise”.
I expect antivirus software developers to consider the possibility that an image filter could be used to encode non-image objects for nefarious purposes. If they do not expect such a possibility then they have failed in their chosen responsibility of protecting the public.
Read the rest of the article on appligent.com