PDF exploits explode, continue climb in 2010
Sandboxing Adobe Reader may be the answer, says researcher
Computerworld - Exploits of Adobe Systems Inc.'s PDF file format jumped dramatically last year and are continuing to climb during 2010, a McAfee Inc. security researcher said Wednesday.
According to Toralv Dirro, a security strategist at McAfee Labs, the percentage of exploitative malware targeting PDF vulnerabilities has skyrocketed. In 2007 and 2008, only 2% of all malware that included a vulnerability exploit leveraged an Adobe Reader or Acrobat bug. That figure jumped to 17% in 2009 and to 28% during the first quarter of 2010.
"In the last three years, attackers have found PDF vulnerabilities more and more useful, for a couple of reasons," Dirro said. "First of all, it's increasingly difficult for them to find new vulnerabilities with the operating system and within browsers that they can exploit across the different versions of Windows. And second, Reader is one of the most widely deployed applications that allows files to be accessed or opened within the browser."
Other factors contributing to the jump in PDF exploits, according to Dirro, range from user belief that PDFs are safe to open, or at least safer to open than Microsoft Office documents, to the age of Adobe's code. "Quite a lot of PDF code was written years ago, and attackers are finding new security problems that no one thought of then," Dirro said. "That makes it difficult for Adobe to clean it up."
A recent discovery illustrated Dirro's point. Earlier this month, Belgian researcher Didier Stevens demonstrated how malicious PDFs could use a standard feature of the PDF specification to run attack code hidden in the file; he also demonstrated a way to modify an Adobe Reader warning message in order to further trick users into opening such documents. Although some of what Stevens revealed has been publicly known for at least eight months, the technique has only been picked up by hackers in the last several weeks.
A major malware campaign using Stevens' tactics began Tuesday, with malicious PDFs attached to e-mail messages masquerading as instructions from companies' network administrators.
Microsoft also recently reported that PDF exploits remain a potent part of hackers' arsenals. In its newest Security Intelligence Report, Microsoft said that nearly half of all browser-based exploits in the second half of 2009 targeted Adobe's Reader. Three Reader vulnerabilities -- which were patched in May 2008, November 2008 and March 2009 -- accounted for more than 46% of all browser attacks.
McAfee rival Symantec Corp. has also noticed an explosion in the number of PDF-based attacks. According to Symantec's latest Internet Security Threat Report, which was published last week, malicious PDFs were responsible for 49% of all Web-based attacks in all of 2009, compared to just 11% of all Web-based attacks in 2008.
Like McAfee, Symantec recorded a surge in reported Adobe Reader vulnerabilities. Of all browser plug-in bugs logged last year, 15% were in Reader's add-on for Internet Explorer, Firefox, Chrome and other Windows browsers. That represented a significant increase from 2008, when 4% of all browser plug-in bugs were in that Reader add-on. And two of 2009's top five exploited vulnerabilities were in Adobe Reader.
Adobe declined to comment specifically about McAfee's and Microsoft's statistics on Reader vulnerabilities. Instead, a spokeswoman forwarded a statement the company has used before. "Given the relative ubiquity and cross-platform reach of many of our products, in particular our clients, Adobe has attracted -- and will likely continue to attract -- increasing attention from attackers," she said in an e-mail. "The majority of attacks we are seeing are exploiting software installations that are not up to date on the latest security updates."
The company's latest security move attempts to address the update issue; on April 13, Adobe activated a service that silently updates customers' copies of Reader and Acrobat.
Adobe may be working on other ways to beef up Reader and Acrobat. According to one security researcher, Adobe will add sandboxing defenses to its PDF software this year. Sandboxing, perhaps best known as a technique used by Google's Chrome browser, isolates processes from each other and the rest of the machine, preventing or hindering malicious code from escaping an application to wreak havoc or infect the computer.
Adobe has acknowledged it will add sandboxing to Flash -- another of its products that is frequently targeted by exploits -- and has that at the top of its to-do list, according to Paul Betlem, senior director of Flash Player engineering.
Reader may or may not get sandboxing as well. When asked about the reports that Reader 10 would include sandboxing defenses, a company spokeswoman said Adobe had not announced plans but was "investigating how to get different features to work in a sandbox."
McAfee's Dirro said adding sandboxing to Adobe Reader would be a smart move. "It's one of the most useful ways to address a lot of different vulnerabilities," he said. "Sandboxing had proven to be fairly efficient at stopping attacks."
Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer, or subscribe to Gregg's RSS feed . His e-mail address is firstname.lastname@example.org.
Read more about Security in Computerworld's Security Topic Center.
- Best iPhone, iPad Business Apps for 2014
- 14 Tech Conventions You Should Attend in 2014
- 10 Desktop Apps to Power Your Windows PC
- How to Add New Job Skills Without Going Back to School
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- The 12 PCI DSS 3.0 requirements addressed by Peer 1 Hosting This handy quick reference outlines the 12 PCI DSS 3.0 requirements, who needs to be compliant and how Alert Logic solutions address the...
- Defense Throughout the Vulnerability Life Cycle This whitepaper provides insight into how to leverage threat and log management technologies to protect your IT assets throughout their vulnerability life cycle.
- Mobile Policy Checklist Here's what to consider when putting together a mobile policy designed to support a highly productive workforce.
- Securing BYOD Mobile computing is becoming so ubiquitous that people no longer bat an eye seeing someone working two devices simultaneously. Individuals and organizations are...
- Live Webcast On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy...
- Live Webcast Endpoint Backup & Restore: Protect Everyone, Everywhere Arek Sokol from the bleeding-edge IT team at Genentech/Roche explains how he leverages cross-platform enterprise endpoint backup in the public cloud as part...
- Streamline Software Asset Management, Compose a software Management Symphony Keeping track of your organization's software is easy with effective software management solutions from CDW. View the videos in our software solutions channel
- Druva inSync: Endpoint Data Protection & Governance CLICK HERE to watch this video about protecting corporate data on laptops and mobile devices, sponsored by Druva. All Security White Papers | Webcasts