Security Issue?

[Mattes57]

I just read this article about a possible security issue discovered be Didier Stevens (said to be a PDF security expert).
Maybe it's of interest for you.

[Stefan - PDF-XChange]

Hello Mattes,

Thank you for posting this here. We will investigate now and provide any news here.

Best,
Stefan

[Paul - PDF-XChange]

Hi Mattes57

thanks for that one. We are looking into what to do here. As the author of that article points out, it is in the PDF specification to allow access to execute files. PDF-XChange Viewer does prompt the user with a warning the first time such an event happens, unless you have previously checked the box "Do not show tis message again" previously.



Note that in this case the command was not launched because the request was simple and did not include the full path. This however is not an issue for someone whose intent is malicious.



So the question might be - do we not allow users to stop prompts for executables? This would seem a 'safer' approach but be quite an inconvenience to users who are aware of the risks and making a conscious choice to run executables...

[Mattes57]

The original german version of that article has an update: in Adobe Reader, it would be sufficient to disable "allow non-PDF-Attachments to be opened by external programs".

This is a link to the blog entry from Didier Stevens

[Paul - PDF-XChange]

Thanks Mattes57,

we have decided that the feature where users can disable the warnings for launching executables [Do not show this messages again.] will be changed in future releases so that users are always warned about this.

thanks for keeping on this!

[Spiff]

[...] it would be sufficient to disable "allow non-PDF-Attachments to be opened by external programs".

Yes, like the option Adobe Reader offers in Preferences\ Trust Manager,
an option to disallow opening of non-PDF file attachments with external applications.
See: http://blogs.adobe.com/adobereader/2010 ... ction.html

The very good news is that such an option is now available in PDF-XChange Viewer,
version 2.0.0050.0, release 13 April 2010.
See: http://www.docu-track.com/PDFXV_history.html#2.0.0050.0
"Added security options for Open/Launch Files or Programs, look into [Preferences/Security]."

After updating, you can find this new security option in PDF-XChange Viewer
in Edit\ Preferences\ Security\ File Open and Program Launch Actions.

For "Allow Launch Actions" and "Allow File Attachments opening" the default setting is "Always ask me for non-PDF(s) only",
but if you're sure you don't want to and don't need to run embedded files from any PDF
you can now choose for "Never".

I think this is a very welcome improvement to PDF-XChange Viewer.
Good work, Tracker Software!

[John - Tracker Supp]

many thanks - pleased it is agreeable