Don't take LaTeX files from strangers

By Stephen Checkoway, Hovav Shacham, and Eric Rescorla.

In ;login: The USENIX Magazine, pages 17–22. USENIX, August, 2010.

Abstract

TeX, LaTeX, and BibTeX files are a common method of collaboration for computer science professionals. It is widely assumed by users that LaTeX files are safe; that is, that no significant harm can come of running LaTeX on an arbitrary computer. Unfortunately, this is not the case: In this article we describe how to exploit LaTeX to build a virus that spreads between documents on the MikTeX distribution on Windows XP as well as how to use malicious documents to steal data from web-based LaTeX previewer services.

Material

• ;login: version (requires USENIX membership) in PDF.
• Full version, local copy in PDF.
• Based on Are Text-Only Data Formats Safe? Or, Use This LaTeX Class File to Pwn Your Computer.

Reference

@article{checkoway-shacham-rescorla:texhack:login2010,
  author =  {Stephen Checkoway and Hovav Shacham and Eric Rescorla},
  title =    {Don't take {\LaTeX} files from strangers},
  year =    2010,
  month =   aug,
  journal = {{;login:\@} The USENIX Magazine},
  volume =  35,
  number =  4,
  pages =   {17-22},
  url =     {https://checkoway.net/papers/tex_login2010},
}