This is a presentation given at the EUSecWest 2010 conference in Amsterdam on the 16 June about recent PDF vulnerabilities and malware, showing how a tool such as ExeFilter may be used to provide additional protection as a complement to antivirus engines.

As shown recently by McAfee, the number of vulnerabilities discovered in Adobe products and exploited in the wild using PDF files has exploded in 2009 and 2010. According to their figures, 28 percent of exploit samples were using PDF as attack vector in Q1 2010. Many of the PDF vulnerabilities are exploited thanks to JavaScript, or other native features such as Launch actions and embedded Flash objects (see my article about PDF security). Because of the complexity of the PDF format, it is extremely difficult for antivirus and IDS vendors to create truly generic signatures to detect PDF exploits. Simple obfuscation techniques can be used to make any exploit virtually undetectable by antivirus and IDS engines.
ExeFilter is an open-source filtering tool presented at CanSecWest08. Its purpose is to analyze and sanitize files by removing known active content (JavaScript, macros, launch actions, etc) with an effective deep file inspection algorithm. ExeFilter does not rely on signatures, but simply on native features of file formats. This technique is particularly effective for PDF files and exploits.
The presentation shows how ExeFilter can be used to filter PDF files and to disarm almost any PDF malware, even if it exploits zero-day vulnerabilities. For example, exploits for CVE-2009-4324 would have been sanitized by ExeFilter well before their disclosure, because almost all PDF exploits require JavaScript to trigger their payload. Another example is the recent CVE-2010-1240 zero-day revealed by Didier Stevens in March 2010, only patched a few months later in Adobe Reader 9.3.3, but natively sanitized by ExeFilter for years.

The presentation is attached below.

Matt Oh has also written a nice summary of the EUSecWest 2010 conference.