A few months back I was triaging a GH issue where someone had attached an .rtf of their failure log and I was definitely tingling at the thought of opening it.
I felt a bit paranoid doing it, but I curled it down on a different laptop, went offline, and then checked to see what `file` thought. It reported that the file was actually a PDF and I was almost certain it was a spearphishing attempt.
(I'm not a committer on this project, so I probably wouldn't have been the target if it was.)
I finally convinced myself to go online to fetch a PDF -> plaintext converter package, go back offline, and see what it found inside. (Though I wondered if the converter itself would ignore or could be vulnerable to the same kinds of exploits.)
It ultimately just looked like an appropriate log, though I never directly opened it. I decided to risk coming off as paranoid and told the reporter not to do this going forward (and they promptly/happily replaced the attachment with an unformatted copy/paste--better than getting pwned).
I wonder if running ghostscript's pdf2pdf inside a properly jailed/locked-down/container/firecrackervm, possibly an ephemeral one, is sufficient to neuter it.
PDFs are horrible for potential malware. There are so many ways for a PDF to run some block of code or reach out over the network for (something), and thus lead to malware being retrieved or installed. Think of all the things a PDF has support for, such as dynamic fields, arbitrary byte retrieval, user inputs, field updates, comments, stylings, embedded objects, object references, hell even an attempt at parsing CSS stylesheets, etc etc. PDF doc is one of the current _worst_ formats to try and avoid malicious activity from.
Yes they can have malware; In a few more ways than easily detected or realized. Don't trust PDFs you didn't create your self.
for years I optimized my pdf reader problem for app size (I do not use extended features). hmm, now, I would prefer to optimize for safety. Which implementation is considered safest on Windows for now? pdf.js/in-browser readers? standalone app?
Occasionally there are remote code execution exploits. The javascript-based PDF rendering in Firefox and Chrome is usually safe from these, so most people who don't download a PDF reader aren't affected by this.
Edit: Turns out, the PDF parser in Chrome exists outside the webpage sandbox. Only Firefox has a pdf.js based PDF viewer. In Chrome, you have to use extensions to get the safer pdf.js based PDF reader.
I am really amazed at this business of PDFs running code. Only Adobe and Microsoft could come up with this kind of crap.
Documents are not supposed to be executable, plain and simple.
Any person in control of crypto keys who opens a PDF file, in fact any kind of executable coming from an email is an idiot.
1. They are supposed to come only from trusted authorized staff of business partners.
2. They are supposed to be scanned and vetted by in-house security on separate secure machines, even if they are from trusted business partners before being run on any end user machine, even those of admins and security admins.
3. There must be a clear cut case for files being executable in any case.
4. If you are to run any documented it should be checked on a remotely accessed system, ie over Remote Desktop, VNC if necessary, and purged of any code before being run on an enduser machine.
This is why I consider most crypto companies to be snake oil scams. If they don't have the discipline to secure their computer systems properly, why should they be trusted with other people's money.
It is so stupid it makes you wonder if said employee was a part of the scam.
I’ve wondered several times this week about “what are the chances that the Axie spearphish was an inside-Axie job?”
It’s such a bad look how it played out, but it’s also a ready-made cover story for an insider knowledgeable of the company and its weaknesses (some of which could have been placed/aided by the insider). It’ll be interesting to see any investigation play out.
I didn't know a pdf reader will download and execute arbitrary code if the document asks it to. Not delighted about that.
I think someone could guess a coworker's email and send a malicious file that claims to be from them with a very high hit rate.
Does Linux have a not-insanely-annoying means of sandboxing applications yet? E.g. so evince doesn't get to talk to the network or write files, even if it asks nicely.
A few months back I was triaging a GH issue where someone had attached an .rtf of their failure log and I was definitely tingling at the thought of opening it.
I felt a bit paranoid doing it, but I curled it down on a different laptop, went offline, and then checked to see what `file` thought. It reported that the file was actually a PDF and I was almost certain it was a spearphishing attempt.
(I'm not a committer on this project, so I probably wouldn't have been the target if it was.)
I finally convinced myself to go online to fetch a PDF -> plaintext converter package, go back offline, and see what it found inside. (Though I wondered if the converter itself would ignore or could be vulnerable to the same kinds of exploits.)
It ultimately just looked like an appropriate log, though I never directly opened it. I decided to risk coming off as paranoid and told the reporter not to do this going forward (and they promptly/happily replaced the attachment with an unformatted copy/paste--better than getting pwned).