Security Implications of PDF's

I recently ran across Didier Stevens' blog, and was rudely reminded of how big a part security plays on the web these days.

I've never been a huge fan of PDF's, mainly due to the fact everytime I go to task manager it seems there's a zombied copy of Adobe Reader floating in there. This got so bad I now refuse to use Reader, and use FoxIt instead.

Even after adding a fair bit of PDF support to our latest app (allowing users to fill in html based forms which are then PDF'd for archival/electronic-signing), I hadn't quite grasped the full ramifications:

1. Allow user to create custom html
2. Distribute unknown custom html to other application users in the guise of a 'validated' document.

10 Minutes reading Didier's latest piece, Shoulder Surfing a Malicious PDF Author and some associated links gave me several insights/scares:

1. PDF's can run custom javascript
2. Binary streams (ie files) can be embedded and saved to disk from within the PDF
3. Incremental Versioning inside PDF's let's you monitor the development of a PDF file over time (similar to Track Changes in Word).
4. Virus Scanners have a hard time detecting malicious content inside PDF's.


My takeaways:

1. Be scared
2. Sign up for Didier's blog, it's quality, well written, relevant content
3. Why did neither security company reviewing our latest application consider the security impact of allowing user's to create their own PDF's?