PDF Creator compromised?


#1

Hello,
in our company we are investigating some data leak from our accountant department.

Attacker writing phishing emails to our clients and knows data from PDFs printed by your program !

We are still working on that theory, maybe we have compromised whole PC, but your software ESET marked as threat and delete it after scan.
Do you guys sending some data from program to your servers ? Or any way how attacker get our PDFs ? For example you using some advertising toolbars in free version, is possible that leak is from here ? Any other ideas ?

Thanks, Tom


#2

Hi Tom,

depending on the Version you have, PDFCreator can send usage statistics to our Server and will contact our update Server to check for updates, but data from inside your documents will never get sent to us. You can see which data we collect for usage statistics here.
What does ESET find exactly? In the past, there have been false detections related to the offer screen which is displayed during the Setup of the free Version, but those should be marked as PUA and not as actual threat. If you are using an outdated PDFCreator version, the included Ghostscript version might have vulnerabilities which potentially allow excuting code from specially crafted Postscript files, but the attacker would still need to get those Postscript files onto your system and get Ghostscript to run them.
We run up-to-date anti virus software in our entire environment and everything is double checked through virustotal.com before it is uploaded to our servers, so it is very unlikely that the breach is caused by PDFCreator. Since PDFCreator has an option to send all generated documents by email, the attacker could abuse this if he already has access to your system, but in that case he could also just copy the files directly or execute any script to do so.

Best regards

Robin