Researchers Highlight PDF Risks

Vulnerabilities related to Adobe PDF files could be emerging as hackers' favorite target, according to some security researchers. Some users might consider taking steps to lessen the rising risk, they say.

In 2009's last quarter, 80 percent of malware encountered through Web surfing targeted Adobe PDFs, according to ScanSafe's recent Annual Global Threat Report. That's up from 56 percent in the first quarter, it states. The second most targeted application in 2009 was Adobe Flash, which actually saw attacks decline to 18 percent in the final quarter from 40 percent in the first. The large majority of malware encounters occur through exposure to compromised Web sites, notes ScanSafe, which analyzes and secures companies' Web traffic.

Hackers' growing interest in PDF files could stem from the applications' continued widespread use in the business and consumer marketplaces, according to ScanSafe and other researchers. Another likely reason is that the applications contain dynamic content, such as JavaScript, they say.

ScanSafe also pointed to data collected from the Common Vulnerabilities and Exposures (CVE) Web site, which lists publicly known vulnerabilities. Adobe received 107 new records in 2009, compared to 58 in 2008 and 50 in 2007, according to the site. CVE is run by the MITRE Corporation and is sponsored by the Department of Homeland Security.

Adobe, along with Microsoft, also had the “most notable” zero-day vulnerabilities in 2009, according to a report by M86 Security. M86 identified about five zero-days, in which no patch exists, used to successfully hack Adobe last year. Software developers are more security-focused than in previous years, according to M86, but can still take "weeks or months" to issue a zero-day fix.

For end-users, though, frequent patching is crucial in mitigating Adobe and other IT risks, say many experts. Adobe users could also consider disabling JavaScript within Adobe's Reader and Acrobat applications. JavaScript has played a role in “many” of the successful PDF-related attacks, says Graham Cluley, senior technology consultant at security firm Sophos.

Users might also consider alternatives to Adobe software, he says. Applications that can read PDF files, for example, are available from companies including Foxit Software and Nuance. Such products have been considerably safer than Adobe, he says, so far.