Can PDFs contain resources that are loaded from the internet?

pdf internet

I think the key to your question is that can you embed JavaScipt in a PDF. And this article seems to explain that process: “How to enhance your PDF forms with JavaScript”

So you could embed some code that connects to an external server to exchange data between the outside and your PC.

I am not sure if there are in-built security options that limit whether a pdf file can “call home.” Perhaps this also depends on the PDF reader that is being used.

EDIT:

To check the settings in Adobe Reader hit ctrl-k and select Trust manager on the left hand side. This shows the following options on my version:

Adobe Trust Manager settings

You can provide detail which websites you deem acceptable for a pdf to contact. Also, again on the left hand side, click on JavaScript, where you can turn the use of Adobe JavaScript on or off.

As per mgutt's comment below, I couldn't see why you shouldn't be able to use app.media.getURLData() to load external data if JavaScript, no other restrictions are set and of course the pdf application supports JavaScript.


You point this out from the Tor website:

…these documents can contain Internet resources that will be downloaded outside of Tor by the application that opens them.

The key word in there is “can” and the warning—as I read it—is a generic “Let’s be careful out there…” statement.

I’m not 100% sure about images specifically, but exploits, tools and tutorials exist which describe methods of injecting rootkit exploits into a PDFs such as this one; bold emphasis is mine:

In this exploit, we will alter an existing .pdf file that can then be posted to our website. When friends or others download it, it will open a listener (a rootkit) on their system and give us total control of their computer remotely.

And more clearly stated near the end; again the bold emphasis is mine:

Simply copy this file to your website and invite visitors to download it. When our victim downloads and opens this file from your website, it will open a connection to your system that you can use to run and own their computer system.

Related

Windows 7 bluetooth stereo audio A2DP only works when freshly paired
How to remove the last character on every line in Notepad++?
How do I force Firefox to check for a new version of page (browser.cache.check_doc_frequency doesn't work)?
Mac OS X 10.5.8 gets wrong IP address from wireless router
Find Serial Number of Gateway Without Case
Creating .xz with 7-Zip, claims insufficient memory (not true)
Removing directories from PATH
Creating 2nd recovery disk set HP Pavilion dv6-1315tx
Deterministic way to find which installed fonts support a given Unicode character or script?
Need Excel pivot table independent columns and no sub levels
How to Autorun a .html file from USB drive?
Change Default Installation Path - Windows 7