Hackers can duck antivirus programs and execute malware in Adobe Reader by using greyscale images, says Danish security boffin Dénes Óvári.
Lossy compression is thought to be susceptible to the DCTDecode filter, which should nuke malware woven into images and blunt this form of attack.
However new intelligence published in the paper Script in a Lossy Stream (PDF) shows bad guys and penetration testers can use the filter within PDF documents to hide malcode using JPEG images that are set to greyscale to avoid distortion.
This process gives antivirus and human malware analysts the slip as they generally assume any malcode hiding in the JPEG filter will be compressed and scrambled.
“Although this is not a security breach in itself, the fact that the usage of DCTDecode for this purpose has seemingly been ruled out by the industry means that even known threats could be hidden in this way from anti-virus scanners or researchers.
“In order to provide users with maximum protection, the DCTDecode stream must no longer be overlooked: in PDF reader implementations, the referencing of uncompressed image data as parameters from objects expecting binary data should be prohibited.”
Óvári says attacks still require exploits to be used inside the DCTDecode stream, reducing the overall threat presented by the research.
“When opening the document, the alert dialog just pops up under the old Reader 9, proving that the code of the short script was decompressed losslessly,” he says.
The attack still works under the latest version of Reader with some small modification.
Óvári says other file formats that assume data within JPEGs uses lossy compression while a greyscale mode is available should be re-evaluated. ®
- Black Hat
- Cybersecurity and Infrastructure Security Agency
- Cybersecurity Information Sharing Act
- Data Breach
- Data Protection
- Data Theft
- Identity Theft
- Palo Alto Networks