The Sourcefire Vulnerability Research Team (VRT) has an interesting project related to (near) real time detection of malicious data passing through an ingress/egress point. Specifically they’re attempting to use this technology to detect malicious PDF’s. Unfortunately right now you can’t scan the documents in real time without hurting the user experience. Options would be to queue PDF’s until analyzed or attempt to post re-mediate malicious PDF’s that have been passed through (recall & purge). They’ve released their real time framework and are looking for user snippets to perform detection of malicious data. (think gluing some of Didier’s PDF analysis scripts together….)
*In case you’re unaware, Sourcefire is the maker of Snort IDS.
Regarding malicious PDFs….
Does the PDF viewer play a large role in determining end user vulnerability? I recently switched to the Windows version of Foxit Reader and have found it quicker to load both browser based and local documents.
I’ve used Foxit and Sumatra on Windows and they definitely load faster than Acrobat. I don’t think we can say one is safer than another. Products with higher market share have more people scrutinizing them while those with less could have just as many unpublished vulnerabilities. Check out OSVDB
Regarding malicious PDFs…. Does the PDF viewer play a large role in determining end user vulnerability?
I recently switched to the Windows version of Foxit Reader and have found it much quicker to load both browser based and local documents.