Re: Adobe PDF files can be used as virus carriers

[Lars Hecking <lhecking () nmrc ie>]

[Moderator: reposted as requested by da () securityfocus com]

> What this means is that virus scanners will now need to "reach inside"
> PDFs to scan encapsulated files. But what -- as I'm sure our Russian
> friend Dmitri would ask -- if the PDF is encrypted? Wouldn't the
> virus checker have to defeat the encryption to see the encapsulated
> file? And would it be an illegal "circumvention" mechanism if it did?

 So what? The problem is not new - it already exists with zip files, and
 generally with all types of encrypted files.

 Here's e.g. what Sophos sweep tells you when encountering an encrypted
 zip file (here, it's inside an self-extracting zip archive.

Aug  3 17:27:29 localhost amavis[16194]: Password protected file 
/tmp/amavis-10411997/parts/msg-16194-2.exe/SfxArchiveData/SETUP.WZ/WINZIP32.EX_

 I would be extremely suspicious about "encryption" that can be circumvented
 by, say, a virus scanner.

 Is encryption really the problem as far as viruses are concerned? I'd say
 it is not. Decryption requires manual intervention by the user, and after
 that the problem is the same as before: applications that execute stuff
 automatically by default, or make it easy to circumvent any safeguards
 the user may have set.

 The new threat is that a hitherto unused file format is now used as a vector.
 Big deal.