Don't take LaTeX files from strangers

By Stephen Checkoway, Hovav Shacham, and Eric Rescorla.

In ;login: The USENIX Magazine, pages 17–22. USENIX, August 2010.

Abstract

TeX, LaTeX, and BibTeX files are a common method of collaboration for computer science professionals. It is widely assumed by users that LaTeX files are safe; that is, that no significant harm can come of running LaTeX on an arbitrary computer. Unfortunately, this is not the case: In this article we describe how to exploit LaTeX to build a virus that spreads between documents on the MiKTeX distribution on Windows XP as well as how to use malicious documents to steal data from web-based LaTeX previewer services.

Material

• ;login: version (requires USENIX membership) in PDF .

• Full version, local copy in PDF .

• Based on Are Text-Only Data Formats Safe? Or, Use This LaTeX Class File to Pwn Your Computer.

Reference

@article{CSR10a,
	author =	{Stephen Checkoway and Hovav Shacham and Eric Rescorla},
	title =		{Don't take {\LaTeX} files from strangers},
	year =		2010,
	month =		aug,
	journal =	{{;login:\@} The USENIX Magazine},
	volume =	35,
	number =	4,
	pages =		{17-22},
	url =		{https://cs.ucsd.edu/~scheckow/papers/tex_login2010.html},
}