PDFs Have Become Pretty Darned Fallible, Security Experts Warn
When cyber bad guys started sending viruses and Trojans through e-mail, the common wisdom was to never trust an unverified Microsoft document, but that Portable Document Formats were always safe.
Times have changed. PDFs are the No. 1 vehicle for web-based attacks today. According to Symantec’s quarterly threat report for April-June 2010, malicious PDF activity — in which attempts to download suspicious PDF documents were observed — accounted for 36 percent of all malicious activity .
PDFs were also a major problem in 2009, yet outside the security community the attacks go largely unknown.
The problem is how PDF files are written, according to Anup Ghosh, founder and chief scientist at security-software producer Invincea. Not only are the data presented in a document format, but code can also be inserted.
“So when the document is opened,” Ghosh explained, “you’re not only rendering data, but potentially executing code that is embedded into the document.”
This code can exploit vulnerabilities in the PDF reader or PDF specification (what the computer requires to read the documents). Readers are easy enough to fix, Ghosh said, but the specifications are more difficult.
The bulk of attacks are against Adobe Reader using a Java script interface. “The way the attacks work is, when you load a PDF document, it starts running Java code, exploiting the vulnerability in Adobe Reader,” said Ghosh. “Once the vulnerability is exploited, a Trojan horse or other malicious executable is delivered to the computer.”
One of the most serious attacks is a Trojan horse called Zeus , which steals bank account information. It will stay dormant until you go to your bank account, and is so sophisticated it will wait until the user has entered all of the passwords and authentication codes. Then it will stealthily schedule to transfer money from your bank account to the criminal's.
An estimated 99 percent of all computers, no matter the operating system (OS), use Adobe as the primary PDF reader. Right now, malicious code will execute only for the OS it is written for, which is primarily Microsoft. However, Ghosh pointed out recent warnings of potential attacks across multiple platforms, including Apple products.
As more people are downloading e-books and magazines in PDF format, how can they enjoy their reading material while keeping safe?
First, e-reader devices are currently safe from malicious attacks, so you can download without fear.
Second, download PDFs only from trusted sources. (However, Ghosh said PDFs are popular in spearphishing – where phishing e-mail is personalized to the recipient, often from a known address. A recent spearphishing campaign claimed to offer tips in a PDF file from a famous golf pro.)
Lastly, consider trying another PDF reader such as Foxit or PDF-Xchange