David Kierznowski has published proof of concept documents for exploiting the ubiquitous software that are not traditional software code flaws, but instead demonstrate a new trend affecting desktop applications -- the use of legitimate features for dangerous ends.

Last week, a U.S. government research body found that attacks using cross-site scripting or Web-oriented scripting languages had become more prevalent than the more traditional buffer overflows, which affect desktop application code.

"Recently, there has been alot of hype involving backdooring various Web technologies," said Kierznowski in his study (http://michaeldaw.org/md-hacks/backdooring-pdf-files/). He said PDF documents seem like an obvious target because they support JavaScript, but found that exploitation wasn't straightforward, partly because Adobe supports its own JavaScript model.

"There are quite a few twists and turns," he wrote. He said Adobe Reader and Adobe Professional also have very different restrictions on which JavaScript objects are allowed.

The first attack, found here (http://michaeldaw.org/projects/backdoored1.pdf), adds a malicious link into a PDF document. "Once the document is opened, the user's browser is automatically launched and the link is accessed," wrote Kierznowski. "At this point it is obvious that any malicious code be launched."