PDF researcher Didier Stevens has been working lately on ways to execute arbitrary code out of PDF files and has come up with a new and surprising one: He can run an executable embedded inside a PDF without exploiting a vulnerability. Stevens isn't revealing the details of the technique yet.

Different PDF readers react differently to the technique. Adobe reader displays the warning dialog above. Stevens can make the attack more likely to succeed by changing the contents of the box: Instead of the file name it could say "Please click Open" or some other social engineering message.

But Foxit Reader, which many users have switched to, supposedly for security reasons, doesn't even display a warning dialog. It just automatically executes the embedded EXE. A commenter to Stevens's post gives a story of a related vulnerability, and Stevens says it's not uncommon for Foxit to blindly execute dangerous activities in cases where Adobe's software warns the user.

I also tested Nuance's free PDF reader. It said opens a dialog box that says cannot open file "cmd.exe".

Update: Stevens tells me that he was able to get the attack working in Nuance by hard-coding the location of cmd.exe.

If there really is no vulnerability involved then we'll have to wait and see what approach Adobe and other vendors take to this issue. Adobe could just choose to identify it more precisely and give a stronger warning dialog box. Foxit could choose to do something, anything.