The .epub security hole 26/09/2007
|
Reg is running a story about malware getting stuck into .pdfs. Nothing to add there, seems pretty complex to make 'em.
Related, I asked Bill McCoy, vp of Adobe, about how easy it was for me to stick just anything into an .epub file (audio/video files), given that the "standard" is just a .zip file that's read whole by a several applications (er, at at least one). Of course, I could have stuck nasty virii into my fake epub as well... it would still load, albeit slowly.
McCoy's answer:
There could be some value to reporting on
the presence of such “junk DNA” riding along in an epub “assembly”,
possibly are part of the authoring/distribution tool workflow if not for end
users. This is something we will take a look at.
He adds:
This has nothing to do with the container
format being based on ZIP or not. PDF utilizes its own intrinsic container
format (informally called “COS”) and it’s also possible to
insert unused objects therein, although we recognize that this is superficially
easier for end users to do with a ZIP-based archive, people trying to spread
malware would likely have software tools at their disposal anyway. And one
reason a ZIP-based approach was chosen is for ease of authoring and
manipulation. It is also the basis for storage of OpenOffice (ODF format).
So I feel better. Though many email programs will, after all, just block .zip files... and the ODF format does not appear to allow applications.
http://www.oasis-open.org/committees/tc_home.php?wg_abbrev=office
Thank god for secure standards.
|
| |
Add Comment |
