Rogue PDFs Behind 80% of Exploits In Q4 '09

CWmike writes "Just hours before Adobe is slated to deliver the latest patches for its popular PDF viewer, ScanSafe announced that by its counting, malicious Adobe Reader documents made up 80% of all exploits at the end of 2009. In the first quarter of 2009, malicious PDF files made up 56% of all exploits tracked by ScanSafe. That figure climbed above 60% in the second quarter, over 70% in the third and finished at 80% in the fourth quarter. Mary Landesman, a ScanSafe senior security researcher, said, 'Attackers are choosing PDFs for a reason. It's not random. They're establishing a preference for Reader exploits.' Exactly why hackers choose Adobe as their prime target is tougher to divine, however. 'Perhaps they are more successful,' she said. 'Or maybe it's because criminal attackers are human, too. We respond when we see a lot of people going after a particular product... We all want to go after that product, too. In the attacker arena, they might be thinking, 'Gee, all these reports of Adobe Reader zero-days, maybe I should get in on them too.'"

Me too? NOT

[ratboy666]

The reason for the PDF preference is not "me too". It is, simply, the best current trojan delivery vehicle. I send my CV in PDF format, most of the documents that I deal with are in PDF format.

And I have no way of telling if opening a particular PDF in a particular reader will cause an exploit.

Most users/blockers will not allow EXEs, and can open "ZIP" files to determine if an EXE is enclosed. Microsoft Word has been "hardened". The exploits are going for the weakest part -- output that is in a universal format and is commonly shared. That just happens to have one reader that has most of the market share.

Which means that I will continue to use "Evince" and hope that it won't be targeted soon.

Adobe is a security nightmare

[Coopjust]

(Note: Trying not to slashvertise, just sharing some info about a program that's helped me stay secure. I have no affiliation with Secunia, I just like the tool a lot.)

I scan with Secunia's (a Danish computer security company) freeware tool to check if I have insecure applications.

3 times out of 4, when something has a category 4 or category 5 exploit (e.x. click2own), it's Adobe Flash Player, Shockwave, AIR, Reader/Acrobat, etc.

It's also interesting because it tells you if your browsers are insecure (due to plugins or the browser itself). Both IE8 and Chrome are insecure in current versions with all patches.

It was pretty eye opening for me, because I thought that I kept secure, but I had 20 insecure applications when I first got the scanner. I'm always skeptical about getting stuff for free, but I imagine that Secunia uses the data to improve the accuracy of their business software.

To return to the story topic... when possible, use Adobe alternatives (e.x. Sumatra instead of Adobe Reader) and check your flash player and shockwave player versions at least once a week.

Firefox Users can use Mozilla's plugin check.

One more thing in my diatribe...recent versions of the Shockwave Player don't update correctly. I installed the latest version to fix a couple critical vulnerabilities only to find out that it wouldn't reomve the vulnerable files from my system directory. I had to download the Shockwave uninstaller, reboot my PC, reinstall shockwave, and reboot again. I felt like I was back on Windows 9x again.

Re:What about alternate readers?

The official PDF spec includes scripting and DRM and all kinds of other crap that 99.99% of pdfs don't use. Many 3rd party readers limit themselves to just displaying documents, so the third party readers are have a much smaller surface area of attack.

It isn't "I want some of that too"

[asdf7890]

In the attacker arena, they might be thinking, 'Gee, all these reports of Adobe Reader zero-days, maybe I should get in on them too.

It isn't that. It is the fact that some of the holes took so long to have patches released, so people who don't read techie news (so didn't know to turn Javascript off in the case of those holes in that area) we vulnerable for some time even once the flaw was "publicly" known. This gave crackers time to throw together a "me too!" exploit for the same bug, and encouraged them to keep looking at the platform (if a hole, once found, stays open for some time then the effort is more worth it than looking for a hole on a platform where security patches are released in a more timely fashion).

The other advantage of attacking Adobe's PDF reader is, as with Flash and other cross-browser plug-ins, one of target audience size. A successful attack may affect users of multiple browsers rather than, for example, just those who run a particular version of IE.

Not just Adobe

[bjackson1]

I just got a trojan yesterday through a PDF, while using Foxit and running Windows 7 x64 in Firefox. I didn't think anything of allowing a website to execute a PDF file (I was not aware at the time that you could execute code through a PDF).

The trojan downloaded quite a bit of malware onto my system that I spent last night cleaning from the registry. This is the first time I've gotten malware on my computer in years.

Re:JavaScript just needs to go, wherever it is use

It's a very inconsistent language, full of convolution and idiosyncrasies due to it being a hack from the very beginning.

Just take a look at the wtfjs blog to see some examples of JavaScript's outright stupidity. Keep in mind that those are virtually all language flaws, not problems with the DOM or an API.

This inconsistency makes it very difficult to implement properly, let alone with good performance, and lets security issues slip in that just wouldn't happen when implementing more sensible languages like C, Python, Ruby or Scheme.

The problem is with the language itself, not with the DOM or any APIs. That's why the language itself needs to go.

Re:Which PDF viewer?

[hitnrunrambler]

I'm wondering the same thing myself. I use Sumatra instead which is a far more stripped down reader. My instincts tell me that I'm safer because it doesn't have all of the integration (java etc) but I'd love to see some comparisons.

Re:But does it run in Linux?

[Yvan256]

Since Mac OS X has built-in support to read and write PDFs, who installs Adobe Reader on a Mac?!

Re:What about alternate readers?

[Skuld-Chan]

Yes Foxit actually has security issues as well.I personally don't think there are as many because Foxit isn't in as much wide use (Foxit isn't bundled with new PC's for instance).

The plain and simple fact is that it is hard to make secure software. Couple that with the fact that the PDF format is well over 20 years old (as you can imagine there's a lot of legacy code in the viewer) and you have a recipe for the perfect security nightmare.

The other problem is - once one researcher/hacker finds a big exploit the blood is in the water and suddenly you have a bunch of people looking into it for obvious reasons.

Re:Why does anyone use Adobe reader anymore?

[asvravi]

I had problems viewing documents with complex formatting and embedded Chinese fonts on Foxit. Returned to Adobe. It is easy to miss some information in the document without even realizing it, if the reader sacrifices functionality in favor of being lightweight. I would any day prefer fidelity to the PDF spec over being lightweight.

Re:Why does anyone use Adobe reader anymore?

[Skuld-Chan]

Primitive how. I use it all the time.

You cannot use Foxit on Livecycle forms and other kinds of interactive forms. Foxit doesn't support online commenting and reviewing, Foxit doesn't support 3d annotations (Reader even supports PMI extensions). Yeah Reader is big, but it has a ton of customer requirements.

Foxit does have security advisories - google it, and its not even a major target.