PDF Exploits On the Rise

An anonymous reader writes "According to the TrustedSource Blog, malware authors increasingly target PDF files as an infection vector. Keep your browser plugins updated. From the article: 'The Portable Document Format (PDF) is one of the file formats of choice commonly used in today's enterprises, since it's widely deployed across different operating systems. But on a down-side this format has also known vulnerabilites which are exploited in the wild. Secure Computing's Anti-Malware Research Labs spotted a new and yet unknown exploit toolkit which exclusively targets Adobe's PDF format.'"

Not to worry.

[morgan_greywolf]

I'm sure Secure Computing has a product for that. :-/

Re:Not to worry.

[electrictroy]

Don't set your browser to auto-load PDF files. (Or any other file for that matter.) Download it first; scan it; then open it externally.

Re:Not to worry.

[Big+Nothing]

Or don't use Adobe Reader, instead use one of the many competent and more secure open alternatives.

Re:Not to worry.

[mpe]

I was wondering whether there was any hope of getting websites to start saying "requires a PDF reader" instead of "requires Adobe's PDF reader".

This is only going to happen after this kind of thing is called an "Acrobat Reader exploit" rather than a "PDF exploit" though.

Re:Not to worry.

[bugeaterr]

And missing features.

Like script execution turned on by default.
Nothing could go wrong there.

Re:Not to worry.

[lysergic.acid]

oh, you mean the inability to start up in less than a minute? or the ability to act as a virus vector?

PDF exploit? Or Adobe Reader exploit?

What if you use a PDF reader that's not made by Adobe?

I wonder why?

[Nerdposeur]

Hmmmm. Maybe this is because they've crammed all kinds of interactive content into a Portable Document Format?

I mean seriously. I thought the idea of PDFs was "this is as simple as a printed copy, and looks the same."

Re:Good news cause PDF's should be shunned

[martinw89]

No, it's just that for some people PDFs are a hammer and every single printed word on the tubes is a nail.

I have had plenty of times where I was turning in papers electronically or needed to transfer documents between computers where PDF came in quite useful. When I'm turning in a paper electronically, I have no idea what version of Office the professor has. Nor do I even have Office. PDFs are very useful in this case.

Also, it may not be as bloated as you perceive. Acrobot reader is slow as hell. Evince and KPDF, both on Linux, are noticeably faster for me. There are alternatives for Windows as well that are better than the "official" reader.

Re:Time for PDF Lite?

I second this idea. If the file format is so complex that it's vulnerable to this kind of attack, and the advice we get is "make sure your OS and browser are updated because the format can't be fixed reliably," then the format is too complicated for its own good. It's fallen victim to feature creep.

Logical Step for Exploits

[neonprimetime]

Exploit the Windows operating system cause the majority of users have it. Exploit Internet Explorer because the majority of users have it. Exploit Office products because the majority of users have it. Exploit Adobe's PDF format because the majority of users have it.

There is now Mac OS, various Linux distros, etc. There is FireFox, Opera, Chrome, etc. There is Open Office, etc. Maybe Adobe needs some good competition in the eyes of the public?

Re:Security article

Why do all these security articles end up basically saying the same thing?

You mean that none of those companies even consider thinking of giving the user a possibility to run their stuff in a (default) secure setting (not giving the reader/PDF permission to do anything else than display the content) ?

I personally had to remove, by hand, a number of accompanying DLLs to Acrobats PDF-reader from which I never seem to use their functionality (like web-buying thru a PDF) but get loaded every time (slowing it down).

Instead of them I really would like to be able to add information to the PDF (like my own remarks and bookmarks), even if it would be stored in an extra file (and not in the PDF itself).

Overuse of PDF

[owlnation]

The biggest issue is overuse and inappropriate use of PDF.

The only reason to ever use PDF is if it is NECESSARY for your audience to print the document in question.

Way too often websites have PDFs that are the only alternative for information. If you want to look up a train time for example, once and once only, you almost always have to download a PDF -- why? Sure, give people the choice of doing that if they want to, but there's no reason to slow down the internet for one-off pieces of information.

With concerns about the environment (perceived real or theatrical, regardless), you'd think that firms would stop encouraging frivolous use of paper. With the extortionate cost of printer ink, you'd think that firms would also be cost-conscious.

Uploading a 2 or 3 page document to the web in a PDF format is a criminal waste of resources, it's also an irritation that I don't need. I do not (and will never) work in a corporation. I do not need Office or PDF format -- ever. It's slow, and it's crap to read online.

I can cheerfully live my entire life without it, and I sincerely wish retarded developers and content managers would stop forcing it on me.

Re:Overuse of PDF

[Ardeaem]

Often, the reason for this is that either 1) the document in question was first designed for a print medium, or 2) The material was dumped from some kind of database as PDF. Often to redesign the output to be a better in web format is nontrivial. Why should they waste so many workhours on such a thing? It would provide no benefit in terms of the information that is available. It would only keep you from being annoyed.

Given that many of the organizations doing this are government organizations, and they use tax dollars, do you want your tax dollars spent on just redesigning output to be appropriate for HTML? I'll just deal with the (small) annoyance, thanks.

Any format can be exploited. The (over)use of PDF is not the issue here.

Re:Overuse of PDF

[Locklin]

Additionally, plenty of academic papers, presentations, and posters are written with LaTeX. I would rather see people posting such material to the web (in PDF), rather than the alternative of not posting it, or spending time fighting to convert things to HTML and having it look awkward.

Firefox should come with a minimal PDF reader

[Animats]

Firefox should ship with some minimal PDF reader instead of Adobe's. There's an incredible amount of junk in Adobe's PDF reader, which adds both vulnerabilities and load time. Has anyone ever used the WebBuy feature of Adobe PDF Reader?

Exactly The Kind of Analysis We DON'T Need

[Alexander]

I'm sorry, but in that very brief article linked, I saw absolutely ZERO analysis concerning frequency.

YAY! There's an exploit and toolkit. The existence of which is, in some sense, a useful piece of prior information for establishing the probability that there MIGHT BE an increase in frequency in the future - but it's quite a leap to have a freakin' /. link to a corporate article that uses hyperbole in claiming that there is some State of Nature or State of Knowledge that points to .pdf attacks being "On the rise".