Adobe Discusses PDF Attack as Foxit Adds Warning
Foxit Software says it plans to add a warning to protect users from a new attack vector involving PDF files that can affect users without exploiting a software vulnerability. Adobe, which already has a warning built in, says the issue is being discussed.Foxit Software plans to follow Adobe Systems' lead and add a dialog box giving users a heads-up about a new attack tactic involving malicious PDF files. The security issue was uncovered by Didier Stevens, an IT security consultant with Contraste Europe, who discovered a way to get PDF viewers such as Adobe Reader and Foxit Reader to execute embedded executables using a launch action triggered when the PDF file is opened.
In Adobe Reader, the situation is mitigated by a warning that pops up and forces the user to click open before the executable is run. However, Foxit currently allows the embedded executable to run without either a warning or user interaction.