Adobe Reader and PDF security threats

In recent years PDF has gotten a bit of a reputation for being a risky format, with security alerts related to Adobe Reader and Adobe Acrobat, and by extension PDF, being issued with some frequency.

A victim of its own success

The bigger the platform, the bigger the target. Just ask Windows. Every technology has its own security holes, but most don’t get targeted in the same way because they aren’t worth the effort. In recent years, thanks to their ubiquitousness, PDF and Adobe Reader have been worth the effort.

When John Warnock and his team set about creating the PDF file format the computing world was a very different place. The Internet was in its infancy, the modern web browser had not quite arrived and Windows 95 was still some years away. He probably didn’t even imagine that PDF would become as successful as it has been.

It might seem like Adobe are playing catch up with all of these security releases, and actually, they are. Not doubt if they were designing the PDF format and Adobe Reader for the first time today, then security related considerations would play a major part in architectural decisions.

For example, permitting executables to be embedded in PDFs or JavaScript to be embedded in PDFs, which could then be opened within an Internet browser, might not pass the sniff test knowing what we know today.

It wasn’t always thus

Perhaps it was because of security through obscurity or because there were easier targets (e.g. Windows before Microsoft got serious about tightening things up), but Adobe Reader and PDF survived a good 15 years before they came under heavy fire from hackers.

PDF exploits began to gain traction in 2008 and according to a Microsoft Security Intelligence Report this was the result of three Adobe Reader vulnerabilities which were patched in May 2008, November 2008 and March 2009.

With Acrobat 9 having been released in July, 2008, and Adobe sticking to their 24 month major version release cycle, a serious effort was not made to combat the rise in PDF exploits until the release of Acrobat X in November, 2010.

Unfortunately from the time that PDF exploits began to take off in 2008 and the release of Acrobat X in 2010, Adobe did not have an auto-update feature in place, which meant that many users did not upgrade to the latest versions of Adobe Reader — leaving their installations unpatched and ripe for infection for a long period of time.

Enhanced protection with Adobe Reader X and Acrobat X

The release of Adobe Reader X Acrobat X brought some urgently needed features:

These new features in Adobe Reader X ensured that exploits through embedded malicious files or code would not infect your computer and the automatic update feature ensured that users who opted-in would always get the latest security updates downloaded and installed on their machines as soon as they became available.

Tips for staying safe with PDF

It’s important to note that you are generally at the mercy of the PDF reader when it comes to security exploits. A PDF by itself is harmless. It is not an executable. It cannot launch itself.

Instead it’s better to think of a PDF as a method of transport. A PDF can carry an executable as an attachment or it can have malicious code embedded inside it. But these things are themselves harmless until the PDF is opened in a PDF reader and the PDF reader allows the user to open the attached executable or run the malicious JavaScript code that is embedded in the PDF.

This is why it’s very important to make sure that you are using a PDF reader that is either:

  1. actively updated to prevent security exploits and includes some sort of sandbox functionality to prevent malicious attacks from affecting your system, or;
  2. does not include the functionality required to open attachments embedded in PDFs or permit the execution of JavaScript embedded in the PDF.

But no matter which PDF reader you are using, there are some basic ways to keep yourself safe:

  • only open PDFs from trusted sources
  • use Protected Mode in Adobe Reader or similar feature in other PDF readers
  • turn off JavaScript support unless required
  • turn off view PDF in web browser functionality
  • don’t open embedded attachments unless you know what’s in them

It might seem like PDF is unsafe to use, but actually if you are using modern PDF readers such as Adobe Reader X or Foxit Reader then it is very safe.

If you are using a version of Adobe Reader before version 10/X, then you should update immediately to the latest version to make sure that you are protected.

Stay up-to-date and stay safe!

You May Also Like

About the Author: Rowan Hanna

Leave a Reply