PDF Payloads Increasingly Pack Malicious Punch

PDF has now supplanted another Adobe technology -- Flash -- as the exploit platform of choice for malicious hackers.

If you exchange presentation files, you might have noticed a rise in the prevalence of PDF-based materials. That's just one indication of the increasing use of PDF as a standard file format for business.

Hackers have also taken notice. In last August's edition of the SANS Institute's monthly SANS Newsbytes publication, SANS Institute president Stephen Northcutt went so far as to encourage shops to reconsider their dependence on technologies such as PDF or Flash, writing that "using [such] ... products seems to put your organization at risk." Northcutt suggested that shops "try to minimize" their "attack surface[s]" by limiting the use of PDF, Flash, and similar technologies "where [they] can."

Since then, security watchers say they've measured a sharp rise in PDF-based exploits. As a result, according to ScanSafe (a Cisco Systems Inc. subsidiary), is that malicious hackers are increasingly targeting PDF vulnerabilities. What's surprising is how quickly PDF attacks have risen to the fore. In 2009, for example, PDF-related exploit activity far surpassed Flash, which (in tandem with the coming of Web 2.0) has traditionally been a popular hacking target. ScanSafe says malicious PDF files accounted for more than half (56 percent) of all Web-based exploits; Flash-based exploit activity, on the other hand, fell by more than 50 percent, dropping from about 40 percent of all Web-based exploits to 18 percent over the same period.

Even if you don't receive lots of PDF traffic, the users you support almost certainly do. What's more, ScanSafe reports, PDF usage, and therefore PDF exploitation, will continue to increase over time, thanks to the popularity of PDF, particularly as a portable (and comparatively platform-independent) alternative to Microsoft technologies in the enterprise. "When malicious exploit code was encountered in 2009, vulnerabilities involving malformed PDF files ... were the most frequently targeted, followed by vulnerabilities in Adobe Flash," ScanSafe researchers write.

"Interestingly, as the rate of malicious PDF files increased in 2009, the rate of malicious Flash files decreased throughout the year." PDF reading tools (along with software capable of creating PDF files) abound, but ScanSafe particularly singled out vulnerabilities in Adobe's Acrobat and Acrobat Reader tools as vectors for attack.

"This trend is likely indicative of attackers' preference for PDF exploit[s], probably due to a combination of increasing availability of vulnerabilities in Adobe Reader and Adobe Acrobat and the continued widespread use and acceptance of PDF files in both the workplace and consumer sectors," they write.

What's perhaps most striking is the rapid rise of PDF (or of PDF-based tools) as popular targets for exploit activity. In 2009, for example, the CVE recorded 107 PDF-related vulnerabilities; this tally accounts for more than one-third (37.2 percent) of all PDF-related vulnerabilities to date. The majority (76 percent) of last year's PDF-related exploits were rated as "high" risks by the CVE, and 2009's tally was nearly twice that of 2008 which was up only incrementally over 2007's tally (58 in 2008, 50 in 2007).

"The problem of recent surges in Adobe vulnerabilities has become of concern to many officials," ScanSafe researchers writing, referencing SANS president Northcutt's warning, in particular.