Back in April this year, I found a PDF tracking issue
at my daily work. While obviously the issue was due to a security flaw -
Adobe has confirmed that as they patched it as security vulnerability CVE-2013-2737*,
the story didn't stop there. I looked into this type of issues in a
matter of wider way in my free time, the result kinda surprised me:
actually almost all the popular document types we are using nowadays
have the problem.
The affected document types include PDF on the latest Adobe Reader 11.0.5, Word, PowerPoint as well as Excel documents on the latest Microsoft Office 2010, also it should be the same thing on other Reader and Office versions. I am not able to go every piece of technical details right now, instead, I’d go a quick explanation.
Usually, in my conservative mind, I think a "document" should not connect to any unauthorized address without my permission, the “authorized address” could mean a domain or IP address owned by the vendor, or a domain/IP that is authored by the vendor. Specifically, I don't want the document I received via email to “phone back” to a server that is controlled by the document sender, when I open the document. If so, I think there is a “document tracking” issue, no matter what the original purposes the “phone back” communications would be. The sender controls the server, so he/she is able to collect information about readers’ activities, which includes (at least) when (time) and where (IP address) reader opened the document.
Unfortunately, based on my research, the documents are not those "simple" documents anymore that we thought in old times. With a great number of features added to the applications, there are various ways to achieve the "document tracking".
The Issues
So, let’s talk about the issues I found. The new PDF tracking issue is obviously because of a default feature - which allows PDF issuers to control over the document, it actually has more power – it can control who and when is able to open the PDF, with which privilege(s) (such as opening, printing and editing) the user may be granted.
The Word document will try to access a remote UNC resource, in this case the UNC resource is not correctly configured so the following “start bar” showing it’s connecting to the sever will appear, I don’t think the dialog will still be there when the resource sits correctly on that server.
The PowerPoint issue I found was a remote image access via HTTP protocol, Office PowerPoint 2010 will display a warning message to users, as being showed below. Unfortunately the traffic is still made out so I guess it's an implementation problem, probably.
The Excel issue was trying to access remote images as well, it went smoothly without any warning or hint, see the following traffic I captured.
I wanted to highlight that the above particular issues are only a part of the problems in those applications – there are actually more I’ve found, but I am not going to list each of them.
Is There Anybody Actively Leveraging the Issues?
It's not hard to find out, a simple Google search will give you the fact that there are pretty a number of "document tracking service” providers leveraging the issues as doing their businesses. In addition, I happened to learn that back to year 2006/2007, one of the service providers (readnotify.com) was hired by a well-known IT company to help them investigate a confidential information leakage. They tried to collect information about the CNET reporter who wrote the news report by leveraging the document tracking issues. It later led to a testimony at the U.S. House of Representatives, check out the story here.
The Remaining Questions
So, is this a big problem? It’s hard to say – it really depends on how much you care about privacy. As a researcher, the thing it bothers me a bit is that I couldn't find any opinion from the vendors about this kind of issue – do they really think it is a problem that they’d like to take actions? As discussed, the "zero-day" issues I found are not due to security faults (not like the previous PDF CVE-2013-2737), they are features! You can ask vendor to fix a security vulnerability but you can't ask them to remove a feature.
Finally, while I am pretty pessimistic about that the problems will be corrected in future, people should know the fact at least: when you open documents on your computer, keep in mind that you may be being tracked, no matter whether you are using the latest application or not.
I can’t give any useful mitigation or workaround since the traffics go via the most popular protocols and the destination port could vary, as we can’t block any traffic going outside.
* Though, I have no idea why Adobe didn't credit me. :P
** Declaration: this post as well as other posts on this blog site reflects the author’s personal opinions only.
The affected document types include PDF on the latest Adobe Reader 11.0.5, Word, PowerPoint as well as Excel documents on the latest Microsoft Office 2010, also it should be the same thing on other Reader and Office versions. I am not able to go every piece of technical details right now, instead, I’d go a quick explanation.
Usually, in my conservative mind, I think a "document" should not connect to any unauthorized address without my permission, the “authorized address” could mean a domain or IP address owned by the vendor, or a domain/IP that is authored by the vendor. Specifically, I don't want the document I received via email to “phone back” to a server that is controlled by the document sender, when I open the document. If so, I think there is a “document tracking” issue, no matter what the original purposes the “phone back” communications would be. The sender controls the server, so he/she is able to collect information about readers’ activities, which includes (at least) when (time) and where (IP address) reader opened the document.
Unfortunately, based on my research, the documents are not those "simple" documents anymore that we thought in old times. With a great number of features added to the applications, there are various ways to achieve the "document tracking".
The Issues
So, let’s talk about the issues I found. The new PDF tracking issue is obviously because of a default feature - which allows PDF issuers to control over the document, it actually has more power – it can control who and when is able to open the PDF, with which privilege(s) (such as opening, printing and editing) the user may be granted.
The Word document will try to access a remote UNC resource, in this case the UNC resource is not correctly configured so the following “start bar” showing it’s connecting to the sever will appear, I don’t think the dialog will still be there when the resource sits correctly on that server.
The PowerPoint issue I found was a remote image access via HTTP protocol, Office PowerPoint 2010 will display a warning message to users, as being showed below. Unfortunately the traffic is still made out so I guess it's an implementation problem, probably.
The Excel issue was trying to access remote images as well, it went smoothly without any warning or hint, see the following traffic I captured.
I wanted to highlight that the above particular issues are only a part of the problems in those applications – there are actually more I’ve found, but I am not going to list each of them.
Is There Anybody Actively Leveraging the Issues?
It's not hard to find out, a simple Google search will give you the fact that there are pretty a number of "document tracking service” providers leveraging the issues as doing their businesses. In addition, I happened to learn that back to year 2006/2007, one of the service providers (readnotify.com) was hired by a well-known IT company to help them investigate a confidential information leakage. They tried to collect information about the CNET reporter who wrote the news report by leveraging the document tracking issues. It later led to a testimony at the U.S. House of Representatives, check out the story here.
The Remaining Questions
So, is this a big problem? It’s hard to say – it really depends on how much you care about privacy. As a researcher, the thing it bothers me a bit is that I couldn't find any opinion from the vendors about this kind of issue – do they really think it is a problem that they’d like to take actions? As discussed, the "zero-day" issues I found are not due to security faults (not like the previous PDF CVE-2013-2737), they are features! You can ask vendor to fix a security vulnerability but you can't ask them to remove a feature.
Finally, while I am pretty pessimistic about that the problems will be corrected in future, people should know the fact at least: when you open documents on your computer, keep in mind that you may be being tracked, no matter whether you are using the latest application or not.
I can’t give any useful mitigation or workaround since the traffics go via the most popular protocols and the destination port could vary, as we can’t block any traffic going outside.
* Though, I have no idea why Adobe didn't credit me. :P
** Declaration: this post as well as other posts on this blog site reflects the author’s personal opinions only.