Hi, a PSA for today. Apologies if this has been discussed recently.
This morning I received this text —
A quick search yielded these —
No, I did not click on it!
PDFs can certainly have malicious links, but an actual virus? I’d like to see an example.
I don’t know about “example”, but here’s here’s the article from Adobe (who invented the format) hinted at in @Bullitt’s post:
https://www.adobe.com/acrobat/resources/can-pdfs-contain-viruses.html
Disclaimer- I Have Not Read The Article
If Adobe says you can get a virus by downloading a PDF, I’m going to believe them. This really sucks. OTTOMH Septa (the local public transit authority) have a web site that is not intuitive, user friendly, or well designed. All maps and schedules are available for download as PDF’s. Septa’s physical security measures are terribly implemented and inadequate. I see no reason to think their cyber security is any better. They will soon be a hub for virus distribution.
Yes it does suck. JPEGs and PNGs, maybe not yet (a guess), but we’re always texting pictures to each other, right?
Sucks.
A little more googing found a PDF-vectored virus in CISecurity’s 2024’s Top 10 list:
I’ve even heard of Jupyter this year, although I’m only peripherally associated with cyber.
Discussion at stackexchange:
Yes, pdf malware is a thing and have been for a long time, but most pdf readers screen for them. Which is why you should keep your .pdf program updated.
PDFs can contain javascript for example.
This is very odd wording. A dot-com file? A Gmail file? Is a Bitcoin a file?
Well, back in the old days of DOS (and CP/M before it), a .com file was an executable program. I don’t know if the command processor in recent Windows releases still recognizes a .com executable.
There was a trend a couple decades ago of using a “.com” executable program embedded in a web page, depending on the confusion with a “.com” website URL.
Bit of a coincidence, as I was googling this just today and landed on Adobe’s answer. In that article they also recommend a website you can use to scan PDFs: VirusTotal
Also, from this thread, I just learned what a watering hole attack is.
I think the first indication of a scam is USPS doesn’t send text messages out of the blue. They have a “text tracking” service but as I understand it you have to initiate contact and provide the tracking number.
I think in most cases of stuff written for laymen, the word “virus” just means “bad for your computer” IOW what the pros call “malware” and “malicious content”.
The layman term “virus” does not mean “self-replicating self-spreading executable software” as the pros use the term. On the rare occasions they’re bothering to be precise.
Adobe has a terrible record in quality control of its software. Hole, after hole after hole. People looking at these exploits often can’t understand how stupid these mistakes are.
Hence Adobe Flash Player was killed off. And to make sure MS, in one of their updates, auto removed it from customers’ MS-Windows systems. It’s. Just. That. Bad.
In addition to exploiting the programming-like features with the PDF markup language, people also exploit things like buffer overflows and a bunch of other common holes bad programmers don’t properly tend to.
Note that files like GIFs and JPEGs can also contain viruses. E.g., years ago someone found a buffer overflow in the standard LZW decompression library that almost all GIF decoders (and a bunch of stuff) used. Urgent bug fix and rollout ensued.
And it still keeps happening. A couple years ago a flaw was found in the way MS-Teams handled GIFS which allowed people to send a malicious GIF that when shared via MS-Teams allowed malware installation of the receiver’s end.
So, stop using Adobe and such. I use Foxit’s reader.
Yes, Adobe has been pretty bad about security for decades, and PDF malware has been around for a long time. That’s why, if you use an Adobe product to handle PDFs, you should be very scrupulous about keeping it up-to-date. Or any of them, really. We are an Adobe shop where I work and it’s a constant battle.
Eh…
Just try to keep your PDF software patched, regardless of which one you use.
(I am personally not a huge fan of Adobe in general so I’m not defending them, but it’s not like you can use Foxit and relax.)
Maybe a nitpick, but Adobe says you can get a virus by opening a PDF, not just by downloading one, assuming I’m reading the article correctly.
You are technically correct, the best kind of correct to be.
Seriously, you are right. I admit my error.
That difference is far beyond the tech skillz of 80% of computer/ tablet / phone users.
“Touch it in any way and you’re fuxxored” is close enough for them.
Definitely. I was suspicious about that. I was never tempted to click on the PDF.
It’s probably not the actual pdf you have to worry about, it’s that if you tap it, it will take you to a phony USPS page that will instruct you to enter all your personal information.
Is the PDF reader baked into Firefox any safer? And I think Chrome has one too now, right? I’m not sure if they are tied into the browser sandbox somehow. Or if they’re generally safer than a standalone desktop app?