Rogue PDFs Behind 80% of Exploits In Q4 '09

CWmike writes "Just hours before Adobe is slated to deliver the latest patches for its popular PDF viewer, ScanSafe announced that by its counting, malicious Adobe Reader documents made up 80% of all exploits at the end of 2009. In the first quarter of 2009, malicious PDF files made up 56% of all exploits tracked by ScanSafe. That figure climbed above 60% in the second quarter, over 70% in the third and finished at 80% in the fourth quarter. Mary Landesman, a ScanSafe senior security researcher, said, 'Attackers are choosing PDFs for a reason. It's not random. They're establishing a preference for Reader exploits.' Exactly why hackers choose Adobe as their prime target is tougher to divine, however. 'Perhaps they are more successful,' she said. 'Or maybe it's because criminal attackers are human, too. We respond when we see a lot of people going after a particular product... We all want to go after that product, too. In the attacker arena, they might be thinking, 'Gee, all these reports of Adobe Reader zero-days, maybe I should get in on them too.'"

Re:How about

[God'sDuck]

The article does not say "80% of PDF exploits," it says "80% of ALL SOFTWARE exploits."

What about alternate readers?

[Monoman]

Is the problem with the Adobe Reader program itself or the file format? Do third party PDF readers have the same security issues?

Two simple safeguards that help

[BlueParrot]

a) Configure your web browser so it asks you to download pdf files instead of opening them automatically.

b) Use an alternative PDF reader/viewer.

Re:Should PDFs be dangerous?

[toleraen]

That and disabling browser integration generally mitigates the issue. That is until they figure out a way to force Reader to use javascript regardless of your setting...

Because of JavaScript support in Adobe Reader!

[JakFrost]

I have noticed that while web browsing and even when using the currently latest Mozilla Firefox 3.5.7 or 3.6 with Ad-Block Plus and PDF Download add-ons installed I still would get hit with a web page that would automatically push a Adobe Reader PDF file to me and I would have it open automatically. That PDF would be just a page full of random words but when inspected in Adobe Acrobat in depth when you go into the Advanced \ Document Processing \ Edit All JavaScript... menu you immediately see a script inside the PDF that is launched upon opening that PDF. When I analyzed the script I saw calls strange calls to the execution functions and methods along with calls to write out encoded data from an array holding hexadecimal values to files.

With the known exploits in Adobe Reader 9.0 versions and earlier it was easy for me to see why this product was used as a popular attack vector in the last few months for viruses to spread on the Internet.

Luckily, I use my computer as an ordinary user and use Run As with User Account Control requesting a password for any administrative work and program installation I avoided being infected with these Trojan horse PDFs.

Some of you might recommend using the Mozilla No Script add-in to block all scripts but the reality is that there is so much JavaScript code out there on the web that turning scripting off makes many web sites unusable since they've all be designed with this reliance on scripting for navigation.

Re:Because of JavaScript support in Adobe Reader!

[maxume]

Uncheck "Preferences->Internet->Display in browser" and Acrobat will prompt you to save those files rather than automatically loading them (this will probably also render your downloading extension redundant).

Re:Hard month for Adobe.

[mambodog]

Don't forget the controversy of Adobe allegedly trying to sabotage the HTML5 spec.

Re:Adobe is a security nightmare

[fishbulb-]

I opened the Advanced interface of Secunia PSI, the program overview says:
'Cannot display graph, as Adobe Flash Player does not appear to be installed in Internet Explorer on your computer...' then provides a link to install it.

I feel betrayed.

Re:Me too? NOT

[Skuld-Chan]

Worse yet, instead of warning you that a PDF is about to execute JavaScript code, Adobe Reader actively and repeatedly harasses you if you turn off JavaScript, telling you that it won't work properly. This, even if the PDF you are viewing contains no JavaScript whatsoever.

Hrm tested this in 9 - it only complains with Javascript disabled that the PDF contains some elements that might not be displayed properly because of the preference, and ONLY IF you open a PDF with Javascript in it.

Static PDF files it does not display any warning if JS is off.

Re:Or more likely

[sopssa]

Whoa, you're bringing up ten year old worms to the table. Do you even understand how many old worms there has been with Linux/UNIX in all of its history, most of them not even requiring a web server?

Any of those things you list as "poor security choices from Microsoft" aren't even such.

patch Tuesday

Patch Tuesday streamlines the update process in large companies. It would be really bad solution from MS to force the update randomly, possibly breaking things. Linux doesn't even have automated update at all - you have to run your update tool when its convenient for you, or go and compile the new kernel. Is that really a better security choice? Would you want Windows to be the same way?

cannot delete opened file

This has nothing to do with security choice for Windows. And you can force-delete a file, at your own risk.

No distinction between administrator and normal user

You're still running Windows 95 or what?

backward compatibility back to DOS

There's no such really anymore, haven't been since XP. It's an emulated layer, and also breaks most of the old viruses because of that.

GUI in server and for administration tasks

How does this lower security again?

no distinction between executables and normal files

Just like Linux doesn't have either. You can set executable bit on any file and it happily runs.

complex database for configuration

Specifically for what? MySQL also has pretty complex database (inside itself) for its settings and users.

Sumatra PDF - sort of OK, maybe.

[Animats]

I've been using Sumatra PDF for the last year. It's rather clunky and uses too much memory on long documents, but it's adequate for most viewing.

Its renderer is rather slow, though. And when you zoom, it renders the document first zoomed in X, then, seconds later, in Y as well. That's just stupid.

Re:Or more likely

Linux doesn't even have automated update at all - you have to run your update tool when its convenient for you, or go and compile the new kernel.

Absolutely not true, you don't know what you're talking about. Please post no more. Your credibility has failed and you'll only worsen your cause by doing so.

Re:Or more likely

[Super_Z]

Patch Tuesday streamlines the update process in large companies. It would be really bad solution from MS to force the update randomly, possibly breaking things.

You seem to confuse "offer" with "force". Why not offer a patch when it is ready and let the companies decide themselves when and how often to patch? Just like every other OS vendor on the face of the planet?

Linux doesn't even have automated update at all - you have to run your update tool when its convenient for you, or go and compile the new kernel.

If by "Linux" you mean every major Linux distribution, then you are simply wrong.

no distinction between executables and normal files

Just like Linux doesn't have either. You can set executable bit on any file and it happily runs.

Actually, the executable bit is the distinction between executables and normal files. You cannot run a normal file without specifically setting the executable bit. It is a "security feature".

complex database for configuration

Specifically for what? MySQL also has pretty complex database (inside itself) for its settings and users.

The OP is talking about the Registry.