Critical vulnerability found in PDF files that turns them into "zombies"

The encryption system for PDF files contains a critical vulnerability, according to German cybersecurity experts. This is about security built into the PDF standard itself, not about encryption with external tools. Based on the vulnerability found, experts simulated an attack called "PDFex".

Examining the found vulnerability, German hackers discovered two ways of its possible use. In practical tests, they hacked 27 PC and web-based PDF readers, including Adobe Acrobat, Foxit Reader, Nitro, and built-in PDF viewers in Chrome and Firefox browsers. In all cases, they managed to extract data that was considered encrypted and secure.

The first type of attack using PDFex is called direct exfiltration. It turns out that the encryption system does not process the entire PDF file, but only some of its parts. But attackers still have access to open parts that they can modify - for example, including instructions for sending data at the time of decryption to a fake address.

The second type of attack is based on the use of CBC tools to replace encrypted sections directly in the file. The goal is the same - to create a "mined" file that will automatically send its content to a remote server using PDF forms or URLs. In both the first and second cases, a PDFex attack requires direct access to the file or at least interception of the user's network traffic. The vulnerability is considered critical and will be described in detail at the upcoming ACM Conference on Computer and Communications Security.