Perhaps the single most common myth about PDF files is the idea that they are “unchangeable”. WRONG.
It’s the single most common misunderstanding about the most common of file-formats.
In reality, PDF files are easy to change. They are also easy to annotate with comments, encrypt, digitally sign, make interactive, communicate with servers and much much more.
They can also be corrupted with something nasty.
Until recently, these dangers were few and far between. More recently, as IBM’s X-Force Report for 2009 makes clear in gory detail, both PDF and Adobe Systems have “…taken a beating from attackers over the past one and a half years.”
Let’s review the problem, then discuss some solutions.
Problem 1: Most people think PDF files are inherently secure
PDF isn’t a closed proprietary format; it’s an open published standard, which makes it possible for some modes of attack to leverage the file-format itself. Until very recently, PDF was targeted far less than the Microsoft Office file formats. The 2009 X-Force Report makes clear that malicious PDF is on the rise, with more vulnerability disclosures about PDF than the various Office formats in 2009.
The most typical attack involving malicious PDF includes “trick” PDF files hosted on servers and emailed as spam or in targeted attacks. These assaults leverage the trust most users place in PDF; users are characteristically less suspicious of .pdf as compared to .doc or .ppt files.
Problem 2: The Software
In a more innocent time, certain forms of attack were once considered software features. This is particularly true of so-called “XSS”, or cross-site scripting attacks, in which users are spoofed into opening a “trick” PDF file that calls out to a server for various nefarious reasons.
What Can be Done
First it must be emphasized that all the same basic rules apply to PDF as apply to any file – open it only if you trust the source.
Beyond educating users, several concrete strategies are available to dramatically enhance your protection against malicious PDF files and vulnerable PDF viewing applications.
Get the Update
The frequency of software updates has increased as the threats have multiplied. Any protective strategy should ensure that regular (and emergency) updates can and will be distributed to affected desktops as expeditiously as possible.
Organizations “of a certain size” decided long ago that ad-hoc unmanaged desktops was an IT nightmare that could be defeated with centrally-managed software deployment. In these settings, the simplest way to deal with threats is to turn off functionality in the affected software.
In some cases, for example, the recent authplay.dll vulnerability, can be mitigated by simply renaming an installed file – a process that’s ready and waiting to go in most managed-deployment installations. In other cases, customizing the software as-deployed is often necessary, and for that, Adobe Systems, at least, provides an extremely granular deployment customizer.
In other cases, PDF certification or digital signatures can provide another option for ensuring active content PDFs are known to be safe.
The most troubling aspect of these new threats is that they arrive on a vector that most users and managers have grown to trust – PDF.
This trust is entirely out of all proportion to the actual security, authentication and other measures in place to guard against malicious PDFs – in many cases, zero.
As Microsoft knows only too well, ubiquity makes you a target. The ubiquity of PDF and Flash has brought the attention of the hackers. While the vendors adjust, prudent IT managers should review their options. The 2009 IBM X-Force Report is a great place to start.