2

Is it possible for a computer to be infected by viewing the link to a PDF file without downloading it?

For example, if I opened a link on a website such as www.wordpress.com/somepdfFile.pdf (not a real site), are there current malware that can infect my computer just from viewing the link?.

John Doe owns a website, www.doejohn.com. He decides to share a pdf document with his subscribers. He, however, doesn't know the pdf contains a malicious payload. The pdf can be found at www.doejohn.com/file123.pdf.

Jane Doe navigates the link above and views the file WITHOUT downloading it. Does the malicious payload infect Jane's computer or not?

schroeder
  • 125,553
  • 55
  • 289
  • 326
Lone Ronin
  • 303
  • 2
  • 3
  • 9
  • 4
    If you are viewing a PDF "online", then you downloaded it and viewing a local copy. – schroeder Mar 15 '18 at 13:25
  • 1
    So, yes, if your browser, or the PDF viewer that your browser uses, has a vulnerability, then you can get infected. – schroeder Mar 15 '18 at 13:27
  • Possible duplicate of [How to safely view a malicious PDF?](https://security.stackexchange.com/questions/18878/how-to-safely-view-a-malicious-pdf) – Martin Schröder Mar 17 '18 at 14:52

2 Answers2

8

Obviously if you are viewing the PDF in your browser, you could get attacked. Browsers are imperfect, and the PDF format is filled with vulnerabilities (that continue to be found.)

However, it's very highly unlikely that simply viewing a page with a link to a malware file would cause an infection, but we can't definitively say no. Historic attacks have stepped along paths that once upon a time could have led to infection, but those were ancient exploits that happened back in the early 2000s. Browser and OS security have improved greatly since then.

For performance reasons, some browsers performed prefetching of links, with the idea that while you were looking at page A, you will probably click to page B. The browser would therefore download the pages to your cache, even if you didn't click the link. (Note the referenced page is from 2003.)

There are also exploits that have taken advantage of disk indexing. When a file lands on your file system, the indexer would scan it and add the data to your computer's search database. Different types of files have been susceptible to these attacks, including JPG and TTF.

Theoretically, a browser could prefetch a malware file, and then infect you while the filesystem indexes it.

However, I don't know of any browsers that are still doing prefetching; most pages have hundreds of links, and a browser would have no way of knowing which links you might click on. Furthermore, most indexing systems have been reworked so they aren't as vulnerable as they once were.

It's not a vector that you should lose sleep worrying about.

John Deters
  • 33,897
  • 3
  • 58
  • 112
  • I think Chrome still does prefetching based on some algorithm that looks at whether or not you clicked similar links in the immediate past (like a "next page" link). I think it also pings links to see if they are up and does a DNS resolution early. – forest Mar 19 '18 at 02:37
  • 1
    90% of this answer now no longer applies since the OP clarified that the file is being directly viewed – schroeder Mar 19 '18 at 20:01
  • @schroeder is correct. To be more specific, the *only* part that is still relevant is `"Obviously if you are viewing the PDF in your browser, you could get attacked. Browsers are imperfect, and the PDF format is filled with vulnerabilities (that continue to be found.)"` – Ray May 15 '18 at 23:37
1

Yes, but it depends.

Typically malicious documents either exploit the viewer, or launch malicious macros. PDFs, for example, are notorious for containing malicious javascript, which can be used to do all kinds of malicious things.

When you view a file on the internet, you are really downloading a local, temporary copy, then displaying it.

These local files can either be displayed directly by your browser, or your browser can pass them off to a dedicated program. For example, your browser might show a PDF as a tab, or might give the document to Adobe PDF Reader to read it.

If the program that is reading the PDF is out of date or misconfigured, then the PDF can launch its exploits.