I know that most of you are probably already sick of malicious PDF documents, but one of our readers, Will Thomson, sent a really interesting malicious PDF document that used some more advanced obfuscation techniques that I wanted to share with everyone. So, let's get to work.
When called like this, the app.doc.getAnnots() call will return an array of objects that will contain all annotations. This is important to remember.
Take a look at the code below, which I tidied a bit for you so you can read it easier:
Especially important are lines 6-13. So, what do the attackers do here:
While there has been a lot of words and warnings about how patching Adobe Reader installations is important, I would like to stress this out again as attackers are clearly not sleeping.
Apr 8th 2010
7 years ago