Solved

safety of pdf

Posted on 2004-08-18
8
213 Views
Last Modified: 2012-05-05
I know that MS Word documents can contain dangerous code.  I know that gif and jpgs are safe.

How about PDF, is that safe?

And, is there any easy way that I can make sure that an MSWord document does not contain executable code.  I need to do this on the server.

What we are trying to do is allow people to attach files to their data on our site.  We do not however want to allow then to attach things that may carry viruses and trojans and things?
0
Comment
Question by:jhurst
8 Comments
 
LVL 15

Expert Comment

by:Yan_west
ID: 11833097
There was some vulnerability i Adobe acrobat reader... the vulnerability is in the software.. you have to update to the most recent patch to fix it.. here are a few example of vulnerabilities:

http://www.planetpdf.com/enterprise/article.asp?ContentID=6669
http://www3.ca.com/securityadvisor/vulninfo/Vuln.aspx?ID=27917
0
 
LVL 15

Expert Comment

by:Yan_west
ID: 11833115
BTW, the vulnerabilities are there, but I never heard about anyone having been exploited them..
0
 
LVL 18

Accepted Solution

by:
chicagoan earned 63 total points
ID: 11833117
Nothing's 100% safe

http://www.securitytracker.com/alerts/2004/Aug/1010952.html

although in general a PDF may be safer than a word document.

You could (should) use a server-side virus scanner to scan incoming docs, which ought to make things reasonable secure.
0
Comprehensive Backup Solutions for Microsoft

Acronis protects the complete Microsoft technology stack: Windows Server, Windows PC, laptop and Surface data; Microsoft business applications; Microsoft Hyper-V; Azure VMs; Microsoft Windows Server 2016; Microsoft Exchange 2016 and SQL Server 2016.

 
LVL 38

Assisted Solution

by:Rich Rumble
Rich Rumble earned 62 total points
ID: 11837302
A virus scanner will do the trick for most of the "popular" or viral exploits, but custom made ones are a bit tougher. Jpeg's, gif's and png files have all had an exploit in the past, but they mainly affected the viewing application, that's where the exploit was, not really the "Standard" of the datagram (jpg,gif,bmp,png,mp3,pdf...etc)

A program that I am finding more and more uses for is TDS-3, and it's quite good with it's heurstics capabilities, even detects some really simple code (del *, rmdir *, rm -rf etc..) as well as more elaborate code in many file types... I've not looked into it's use at detecting macros and such in M$ office doc's but I will now ;) http://tds.diamondcs.com.au/
====
Which kinds of malicious software does TDS detect?
 
TDS essentially detects anything malicious that isn't a virus. This includes RAT Servers, RAT EditServers, RAT Clients, RAT Plugins, RAT DDoS Servers, FTP RATs, Droppers, Binded trojans, Packed Servers, Keyloggers, Spyware, Mail Trojans, Password Stealers, Internet Worms, mIRC Worms, Malicious DLLs, Monitors, Spyware, and many others.  
====
There are no exploit's for Plain Text files... but for the most part, a good virus scanner will do the trick, as well as disabling macros in your office app's themselves, a disclaimer on your site may be necessary, as you cannot guarntee each document.

http://www.kb.cert.org/vuls/id/287067 (exploit for the app, or rather the way the app handles the malformed data... these could exist similarlly with pdf's etc.._
-rich


0
 
LVL 8

Author Comment

by:jhurst
ID: 11837373
Guys, this was GREAT!

I think I am going to leave this open a little longer to see if there is any additional info that I get but what I have receved so far will certainly get some, if not all, of the points.
0
 
LVL 8

Author Comment

by:jhurst
ID: 11837396
BTW, I realize that a reader/viewer is vulnerable to bugs/attacks etc, such as buffer overflow.  What I am more concerned about is the types of exploits that seem so common in word documents.  Clearly I am not going to allow .exe files.  The question really is, how restrictive should we be.

From what I am seeing so far, it seems that I should be fairly safe allowing PDF.

I am tending towards allowing:
gif, jpg, html, pdf and word
with different disclaimers for each.  Sort of pointing out that the latter ones are potentially more at risk than the earlier ones.
0

Featured Post

Backup Your Microsoft Windows Server®

Backup all your Microsoft Windows Server – on-premises, in remote locations, in private and hybrid clouds. Your entire Windows Server will be backed up in one easy step with patented, block-level disk imaging. We achieve RTOs (recovery time objectives) as low as 15 seconds.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Many companies are looking to get out of the datacenter business and to services like Microsoft Azure to provide Infrastructure as a Service (IaaS) solutions for legacy client server workloads, rather than continuing to make capital investments in h…
Every computer eventually fails. When that happens, your valuable data is only as safe as your current backup.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, just open a new email message. In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…

911 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now