Friday | 5 September, 2008
Computerworld
First came the Zip Bomb, now comes the PDF Bomb
PDF vulnerability poses new challenges to antivirus/antimalware scanning software.
Carl Jongsma 26/05/2008 14:04:28

Computerworld Buyer's Guide - Vendors Matched to this Article
Dimension Data , Trend Micro , GFI , MessageLabs , CA
Additional Resources
Executive Guides
Whitepapers
white paper Read up on the latest ideas and technologies from companies that sell hardware, software and services.
Zones
Zone logoZones provide focussed content from Computerworld and leading technology partners.

Newsletter Subscription

Sign up for our Computerworld newsletters!
Computerworld's twice-daily news service keeps you in touch with the latest, most important headlines from Australia and around the world.
Keep up with the latest virtualisation technologies, products, news and features.
IDG's security alert service provides you with alert emails for new virus releases or security incursions of significant importance.
A weekly round-up of virus alerts, bug reports, patch releases and security news.
RSS Feeds

A Zip Bomb is a small Zip file that exploits capabilities of compression algorithms and settings to expand into a file or set of files that consume system resources to the point of system unusability. Didier Stevens, continuing his recent work in finding interesting sections of the PDF data scheme, has described techniques for the PDF equivalent of the Zip bomb, or a PDF Bomb.

Stevens' discovery comes after he looked closer at PDF Stream Objects. Within the PDF specification, a stream object is merely a form of packaging data as a sequence of bytes using one of a variety of encoding methods. A compliant PDF reader will then interpret the PDF file and reconstitute the stream object as the data that it originally represented. The great power of a stream object is that it allows the storage of complex visual representations in a straight forward and consistent manner.

It is the encoding options which is where the PDF Bomb gets its power from. Through the use of a 'stream filter' different encoding methods can be used to obfuscate the original data and provide a more compact means of storage when the filter being used is a compression filter. Stevens discovered that chaining two or more filters together, which he has dubbed a 'Filter Cascade' can lead to interesting outcomes when the resulting stream object is decoded by a compliant reader. Apart from the obvious system resource usage required to run subsequent filters on the same data, some of the filter options can be fed parameters that change how the data is filtered and how it is finally represented.

In testing, Stevens managed to create a PDF file that was only 2642 bytes in size, but which managed to decompress to 1GB of data through the use of filter parameters and filter cascading.

This now poses a challenge for antivirus/antimalware scanning software to adequately filter a booby-trapped PDF document without having to devote excessive resources to it. When other techniques for hiding malware in PDF files are considered (such as those already made public), it poses a seemingly impossible to solve problem for protective software developers. Because of the nature of PDF stream objects, techniques to identify and isolate Zip Bombs may not be applicable to PDF Bombs, though some observation of resource demands when filtering stream objects will highlight a potential PDF Bomb.

It is also a problem for PDF readers. How are they going to handle files that are created like this without failing? In Stevens' testing, he found that the 2642 byte PDF file was capable of bringing some readers to a halt. Perhaps some inbuilt monitoring of resource demands, similar to what is suggested above, will be a viable option for PDF reader developers.

Computerworld Buyer's Guide - Vendors Matched to this Article
Dimension Data , Trend Micro , GFI , MessageLabs , CA
More about Wikipedia
Market Place
Discover the latest web security SaaS solutions | Download new IDC white paper to lessen your IT burden
Computerworld Webinar | Business Mashups - Building the Intelligent Organisation by Empowering Users | 11am Tues 16th Sep 08
Enter our reader survey today and you could walk away with one of 2 Motorola MOTORAZR2 V9's up for the taking.
Discover trends in the B2B infrastructure market in 2008 | Download new Gartner white paper now.
WIN a printing technology upgrade worth $20k* with HP MFPs! >> CLICK HERE TO ENTER.
Software & Systems Quality Conferences: 30 – 31 October 2008 in Canberra. Book now!

Computerworld Member Login


 
CA Knowledge Centre

IT Security as a business enabler?
Download CA's white paper

Link IT services with business goals.
Download CA's white paper

Prioritizing Services with IT Service Management (ITSM)

Computerworld Live Webinar
Wednesday 20th, August 2008
11:00am EST (Sydney, Australia)

To be repeated on:

Thursday 4th, September 2008
11:00am EST (Sydney Australia)

Sign up and receive a free copy of The Forrester WaveTM Service Desk Management Tools, Q2 2008 at the conclusion of the Webinar.

Attend and discover:

  • How to deliver value to your business through ITSM
  • Best practice ITSM implementation
  • Why emphasis is changing from optimizing IT management processes to better servicing customers and demonstrating real dollar value
  • If service-oriented ITSM is best for your business
Whitepaper
Did you GET the memo? Getting you from Web 1.0 to Web 2.0 Security

Read Whitepaper

Did you GET the memo? Getting you from Web 1.0 to Web 2.0 Security

Enterprises have forged ahead with the rapid evolution from Web 1.0 to Web 2.0 without addressing the inherent security risks. It is imperative for organisations to continue to embrace new technologies to survive, but security must shift from being an after thought to a primary consideration. Read on to find out more.

Enterprise IT Buyer's Guide
Find Technology Vendors Fast
 
Find vendors by name | Find by category
Sponsored Links