I was reading Didier Stevens’ posts on the creation of malicious PDF files and embedding other files within PDF files.  He mentions that he ran all his tests using Adobe Acrobat Reader 8.1.2 and Foxit Reader 2.2.  I wanted to see how affected Mac OS X would be. [Update: For the sake of thoroughness, I ended up testing with Acrobat 9.1.0, 9.1.2 and Foxit 3.0]

Mac OS X has PDF support built-in.  I love that I can save a Word or Pages document directly to PDF.  I need no additional software to accomplish this.  Mac OS X uses the Preview Application to read PDF files.  Given that the majority of the OS X users will rely on Preview, I constrained myself to only use Preview for testing.

I started at the top.  Examining the structure of a PDF file.  Although, in my case, I looked at how OS X creates a basic PDF file and attempted to draw parallels with the structure Didier presents in his post.  So I opened up the OS X standard text editor TextEdit, created my “Hello World!” document and saved it as a PDF.  There was no “Save As” to PDF, so I just used the “Print” option and saved it as a PDF.  When opened back in TextEdit, the PDF file looked like this:

The first thing I noticed was that the PDF versions were different.  Didier had version 1.1 and mine was 1.3.  My file also had quite a few extra objects.  While Didier’s had 7 objects in the xref, I had 17.  I probably need to keep in mind, however that he did his article in mid-2008, over a year ago.  The overall structure of the PDF, however, seems to have not changed:

• Header
• Objects
• Xref
• Trailer

I wanted to try my hand at adding another object to a PDF file.  So I tried to add a URI with OpenAction similar to Didier in this post.  I opened the new file in Preview; absolutely nothing.  Knowing that I had to be more thorough, I fired up my XP VM and Adobe Acrobat Reader 9.1.0.  Sure enough, I receive the request asking if I want to connect to http://chirashi.zensay.com

So the OpenAction does not work on OS X’s Preview Application.  Kind of a good thing I guess.  Especially when you see some of the threats out there.  Next I wanted to find out if Preview handles JavaScript in the same way.  You did know that you can trigger JavaScript as PDF actions as well, right?  Of course you did!

Sure enough, Preview does not honor the JavaScript execution, but Adobe Acrobat 9.1.0 and 9.1.2 does so with a nice little Warning window.  Not sure how useful the Warning window is considering the JavaScript was executed already.  I recall reading some WebSense blog posts regarding similar PDF based attacks here and a newer one here.

A question I want to pose here is do we really need all this functionality anyway?  I have used Preview for over 3 years now (Mac convert for that long) and I have not had to deal with any breakage in functionality or a different user-experience when dealing with PDF files.  Does anyone USE Adobe JavaScript?  You might as well turn off your JavaScript by going into Edit->Preferences->JavaScript and uncheck the Enable Acrobat JavaScript.

Once again for the sake of being thorough, I downloaded and installed Foxit 3.0 for XP just to give it a shot.  Wow, so, while I’m here ranting about Adobe, guess what Foxit does?  It directly opens the URL in your default browser.  I am not kidding   Try the JavaScript file and it doesn’t do anything.  Maybe it can’t do an alert box.  I need to research further and post results.  I think I’m going to stop for now and write another post about the actual file embedding research that I did.

What can we take away from here?  I think the idea of keeping things simple is the way to go, Preview clearly does this.  I’m sure that there are people who use all the bells and whistles of Acrobat, but really, I mean how many people could there be?  No, that’s a legitimate question.  How many of you do?

Files that I used to run these tests can be found here