Solved

safety of pdf

Posted on 2004-08-18
8
221 Views
Last Modified: 2012-05-05
I know that MS Word documents can contain dangerous code.  I know that gif and jpgs are safe.

How about PDF, is that safe?

And, is there any easy way that I can make sure that an MSWord document does not contain executable code.  I need to do this on the server.

What we are trying to do is allow people to attach files to their data on our site.  We do not however want to allow then to attach things that may carry viruses and trojans and things?
0
Comment
Question by:jhurst
8 Comments
 
LVL 15

Expert Comment

by:Yan_west
ID: 11833097
There was some vulnerability i Adobe acrobat reader... the vulnerability is in the software.. you have to update to the most recent patch to fix it.. here are a few example of vulnerabilities:

http://www.planetpdf.com/enterprise/article.asp?ContentID=6669
http://www3.ca.com/securityadvisor/vulninfo/Vuln.aspx?ID=27917
0
 
LVL 15

Expert Comment

by:Yan_west
ID: 11833115
BTW, the vulnerabilities are there, but I never heard about anyone having been exploited them..
0
 
LVL 18

Accepted Solution

by:
chicagoan earned 63 total points
ID: 11833117
Nothing's 100% safe

http://www.securitytracker.com/alerts/2004/Aug/1010952.html

although in general a PDF may be safer than a word document.

You could (should) use a server-side virus scanner to scan incoming docs, which ought to make things reasonable secure.
0
Use Case: Protecting a Hybrid Cloud Infrastructure

Microsoft Azure is rapidly becoming the norm in dynamic IT environments. This document describes the challenges that organizations face when protecting data in a hybrid cloud IT environment and presents a use case to demonstrate how Acronis Backup protects all data.

 
LVL 38

Assisted Solution

by:Rich Rumble
Rich Rumble earned 62 total points
ID: 11837302
A virus scanner will do the trick for most of the "popular" or viral exploits, but custom made ones are a bit tougher. Jpeg's, gif's and png files have all had an exploit in the past, but they mainly affected the viewing application, that's where the exploit was, not really the "Standard" of the datagram (jpg,gif,bmp,png,mp3,pdf...etc)

A program that I am finding more and more uses for is TDS-3, and it's quite good with it's heurstics capabilities, even detects some really simple code (del *, rmdir *, rm -rf etc..) as well as more elaborate code in many file types... I've not looked into it's use at detecting macros and such in M$ office doc's but I will now ;) http://tds.diamondcs.com.au/
====
Which kinds of malicious software does TDS detect?
 
TDS essentially detects anything malicious that isn't a virus. This includes RAT Servers, RAT EditServers, RAT Clients, RAT Plugins, RAT DDoS Servers, FTP RATs, Droppers, Binded trojans, Packed Servers, Keyloggers, Spyware, Mail Trojans, Password Stealers, Internet Worms, mIRC Worms, Malicious DLLs, Monitors, Spyware, and many others.  
====
There are no exploit's for Plain Text files... but for the most part, a good virus scanner will do the trick, as well as disabling macros in your office app's themselves, a disclaimer on your site may be necessary, as you cannot guarntee each document.

http://www.kb.cert.org/vuls/id/287067 (exploit for the app, or rather the way the app handles the malformed data... these could exist similarlly with pdf's etc.._
-rich


0
 
LVL 8

Author Comment

by:jhurst
ID: 11837373
Guys, this was GREAT!

I think I am going to leave this open a little longer to see if there is any additional info that I get but what I have receved so far will certainly get some, if not all, of the points.
0
 
LVL 8

Author Comment

by:jhurst
ID: 11837396
BTW, I realize that a reader/viewer is vulnerable to bugs/attacks etc, such as buffer overflow.  What I am more concerned about is the types of exploits that seem so common in word documents.  Clearly I am not going to allow .exe files.  The question really is, how restrictive should we be.

From what I am seeing so far, it seems that I should be fairly safe allowing PDF.

I am tending towards allowing:
gif, jpg, html, pdf and word
with different disclaimers for each.  Sort of pointing out that the latter ones are potentially more at risk than the earlier ones.
0

Featured Post

Free Tool: Path Explorer

An intuitive utility to help find the CSS path to UI elements on a webpage. These paths are used frequently in a variety of front-end development and QA automation tasks.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The next five years are sure to bring developments that are just astonishing, and we will continue to try to find the balance between connectivity and security. Here are five major technological developments from the last five years and some predict…
This article demonstrates probably the easiest way to configure domain-wide tier isolation within Active Directory. If you do not know tier isolation read https://technet.microsoft.com/en-us/windows-server-docs/security/securing-privileged-access/s…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Nobody understands Phishing better than an anti-spam company. That’s why we are providing Phishing Awareness Training to our customers. According to a report by Verizon, only 3% of targeted users report malicious emails to management. With compan…

749 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question