I do the newsletter for my neighborhood. I’m trying to get the neighbors to get the newsletter via e-mail vs. snail nail. One lady voiced opposition saying she never opened attachments.
I have a .pdf writer (Adobe Acrobat 3.0) and wondered if I could possibly send out a virus using it. As far as I know it’s just a “picture” of the document.
IANA computer geek, but my understanding is that certain viruses can be “programmed” to masquerade as legitimate formats, like .pdf. They do this by hiding the part of their title (?) that would ordinarily say “.vbs” for virus, and showing you only the fake part that says “.pdf”.
Or something like that.
I’m sure that a real Computer Geek will be along in a minute to explain it better. 
Why does the newsletter have to be in .pdf format, anyway? Can’t you just send it as regular e-mail?
I never open attachments, either.
OK, there are two questions here:
A real PDF file cannot be a virus because it is never executed as a program. PDF is the Portable Document Format: It’s a way of making a pretty document you can print or (theoretically) read on-screen. It isn’t anything more complex than that, and, unlike some formats I could name (Word), it has no in-built facility for hiding scripts.
A false PDF file could be anything. Here’s how it’s done: In the MS world, a standard file name adheres to a simple naming strategy: name.ext. ‘name’ is the file’s name, ‘ext’ is a three-letter way to identify file type. A hidden viral file could include a period in the ‘name’ field, making it look like this: name.fex.ext. ‘name’ is the false name, ‘fex’ is the false extension the casual user sees, and ‘ext’ is the real extension the computer acts upon. So it looks like name.fex while it’s really name.fex.ext. Like goodfile.pdf.exe, which looks like goodfile.pdf but is actually an executable file (and, possibly, a virus).
A virus could corrupt PDF files like it could corrupt anything else, but it wouldn’t help the virus spread.
Acrobat 5 and higher support embedded objects, which could be anything, including virus/trojan files. See
http://vil.nai.com/vil/content/v_99179.htm
You currently can’t get infected just by opening a PDF file in the Acrobat reader.
Actually, I have done some scripting with pdf files and I will say that it’s possible to write a trojan or virus in one rather similar to how viruses get put into Microsoft Office documents. However, to date I am not aware of any pdf macro viruses (for lack of a better term) and I wasn’t into the destructive potential the scripting I was using so I’m not certain how effective such a virus or trojan could be.
In short, a technical yes but don’t worry about it.
Because I create the newsletter in Word97 (insert obligatory curses) and not everyone has Word97 or higher. My newsletter is usually 4 or 5 pages including graphics and photos so I thought .pdf was a good solution for everyone who has e-mail since the Acrobat reader is free. I could just send a text version out via e-mail, I suppose, but that would mean even more work for me…
Actually I’m going to switch to WordPerfect now that I have Acrobat, even though Corel sold out and now their word processor looks and acts depressingly like Word. Though WP still have “Reveal Codes” and paired coding which makes it infinitely superior to Word.
But I digress…
Although it may be true that trojans etc can be embedded in pdf files, this is not relevant because YOU are creating the pdf file, not some virus programmer, so the file cannot contain a virus.
Duck Duck Goose: like derleth says, except that you can get around this by going: My computer > tools > folder options > view and unchecking the ‘Hide file extensions for known file types’ box.
Why don’t you get some free Web space and use Word’s “convert to html” feature (or is it “save as- html”) to post it? Then you can send people a link, and they can print out what they want.
Version 4.0 of the Acrobat viewer for Windows contained a buffer overflow bug which could allow a (deliberately) malformed PDF file to crash the viewer program, or even to cause the program to execute machine code embedded in the document.
http://www.adobe.com/misc/pdfsecurity.html
I don’t know about any virus or trojan actually exploiting this bug. As far as I know, Acrobat is very safe compared to, say, browsing the Web with Internet Explorer. There’s something to be said for erring on the side of caution, though.
To avoid the security problems with PDF, consider other formats, such as ps (Postscript) or dvi (Device Independent format). Both are non-proprietary and can be viewed and created with programs that run in MS-Windows (for example, WP2LaTeX converts WordPerfect files to LaTeX files, which can then be converted to dvi with another free program (called latex, incidentally :))). dvi viewers are also free, and anyone concerned about the security of PDF files should be interested in having one.
That won’t solve the problem of PunditLisa’s security-conscious neighbour refusing to open any e-mail attachments, even from someone she presumably trusts. If she won’t trust a well-known and respectable format like Acrobat, how will you get her to open a file in a format she’s probably never heard about? It also won’t help with the misleading-filename-extension trick, which is a problem of the mailclient and can therefore be used with any file format including plain text.
While it is true that free viewers exist for Postscript and DVI, I’d say it is not a very realistic choise for distributing a newsletter, especially to Windows users, because the viewers for those formats are nowhere near as popular as PDF. Also, Postscript has had its own security problems in the past. Just because one particular dot-oh version of the Acrobat viewer contained a buffer overflow, which has long since been patched, doesn’t mean the format is less secure than the alternatives.
Sorry to go off-topic, but I wanted this quote and I don’t know how to use the various features that some people use. In Win2000, I have one file type that refuses to show its extension no matter what I do. The extension is cnf and it is, not surprisingly, used for a number of configuration files. Windows insists its type is “speed dial” and resolutely refuses to display the file type. As far as I know I did everything suggested and it certainly displays all other types. Any thoughts?
Hari: Damn strange problem I’ve never come across. An end-run tactic might be to open a DOS terminal window and to run ‘dir /p’ (directory listing, paged, so it won’t go by so fast you can’t see it) in the directory the files are in. Not the solution you wanted, but it still should work.
Various text editor programs should also show the extension.
I know of no way to make Explorer show an extension if it doesn’t want to. (Have you tried to view the file’s ‘Properties’ in the right-click context menu? Just a thought.)
Hari,
That’s the fault of your NeverShowExt registry keys. You can eliminate the problem by following these directions.
Thanks, that worked. Only those directions were not quite accurate. I forget the details, but the instructions to uncheck two of the three boxes resulted in nothing being found. I searched everything and found them.