Only Open PDF Files from Trusted Sources

I think we all know better than to download executable programs (.exe's) from untrusted sources and run them.  Opening a Word document from an untrusted source could be dangerous.  Now, even opening a PDF file on a fully patched Windows machine with excellent, up-to-date anti-virus and malware software could cause your machine to get owned.

Didier Stevens, who has written some great PDF analysis tools, published a disturbing blog post the other day.  He demonstrates how to use an existing feature in PDF to execute a program on someone's computer when they open the document.  Adobe Acrobat Reader displays a message first, but the message can be changed to social engineer someone into clicking the Open button on the message.  And my favorite PDF reader, Foxit, does not even display this message.  Disabling javascript does not help. [more]

Here is the link to his article: http://blog.didierstevens.com/2010/03/29/escape-from-pdf/

I downloaded his extremely simple example and in a few seconds changed it run a batch script instead of cmd.exe.  It looks it would be trivial to make it run any sequence of commands desired.  Depending on the PDF viewer used on other operating systems such as Linux or Mac OS X, this same technique will work there.

When using Google, one might consider clicking on Quick View or View as HTML instead of viewing the actual the PDF file.

UPDATE:  Adobe finally responded to this, explaining simply how to disable this feature.  This sounds like a good thing to do for most users. http://blogs.adobe.com/adobereader/2010/04/didier_stevens_launch_function.html

Security and Compliance PDF Linux Adobe Mac Security Word