There's a common complaint in the antivirus community, this time about PDF and Adobe Reader, the new frontier for viruses, worms and other cyber creepy-crawlies.
Case in point: a post on the Avast! blog entitled: Another nasty trick in malicious PDF. Following an innocuous quotation from an out-of-date version of the PDF Reference, the author says:
Thats another surprise from PDF, another surprise from Adobe, of course. Who would have thought that a pure image algorithm might be used as a standard filter on any object stream you want? And thats the reason why our scanner wasnt successful in decoding the original content we hadnt expected such behavior. To be fair, any data (text or binary) can be declared as an monochrome two-dimensional image thats the reason why JBIG2 algorithm works here.
Why is this a surprise? It is common practice since PDF was released in 1993 to use multiple filters to encode streams in a PDF file. Multiple filters on a stream has always been part of PDF. If virus-scanning software claims to scan PDF files, that implies the developer has read the PDF Reference and knows how to parse the PDF format.
PDF files aren't exactly unusual they're everywhere! Google counts almost 300 million PDF files online, and there are billions more in banks, government agencies, and elsewhere. Given the popularity of PDF for well over a decade, there's nothing in the PDF Reference that should come as a surprise.
I expect antivirus software developers to consider the possibility that an image filter could be used to encode non-image objects for nefarious purposes. If they do not expect such a possibility then they have failed in their chosen responsibility of protecting the public.
Read the rest of the article on appligent.com