can' embed exe file about origami-pdf HOT 1 CLOSED

Hello,

actually 'embed.rb' does not just embed the target file into the document. It 
will
also inject a little script that will try to run the file at document opening.

However, Acrobat Reader has some restrictions about which files are granted to 
be
extracted and run. This security filtering is merely based on the filename 
extension.
Some extensions are blacklisted, some are whitelisted, others will pop up an 
alert
box to ask for user approval before running the file. 

This list of extensions cannot be modified from the Reader interface, you can 
find it
on Windows into the registry key:
HKLM\SOFTWARE\Policies\Adobe\Acrobat
Reader\9.0\FeatureLockDown\cDefaultLaunchAttachmentPerms

On Unix systems, it can be found in the preference file in the directory where 
Reader
is installed.
On my Linux system: /opt/Adobe/Reader9/Reader/GlobalPrefs/reader_prefs

Only PDF and FDF files are whitelisted by default (which means you can extract 
and
run an embedded document from an existing document with no user warning).

In a nutshell, if you plan to embed a malicious file into a document, you have 
two
options:

1) Find a flaw in Acrobat Reader to bypass security checks. That's the way I 
did when
I began working on the 9.0 version, but it has now been fixed by Adobe.

2) Use a non-blacklisted filename extension for your attachments. Before the 9
version of Reader, I used to embed malicious JAR archives into documents as 
*.jar
files were not blacklisted. Still the file has to be launched by Windows 
Explorer
thereafter, so you can't set whatever extension you wish. Anyway, on Unix 
systems,
the filename extension filter is just a joke.

Regards,
Guillaume