It was shortly after I had finished posting my most recent note, about Adobe’s security-related updates of Acrobat and Reader, that I saw an article in Computer World summarizing some interesting results from the Annual Global Threat Report [PDF, registration required] compiled by security firm ScanSafe (part of Cisco), of London and San Bruno CA. If nothing else, the results indicate that there is a very good reason to stay up-to-date with security fixes for Adobe’s software:
In the first quarter of 2009, malicious PDF files made up 56% of all exploits tracked by ScanSafe. That figure climbed above 60% in the second quarter, over 70% in the third and finished at 80% in the fourth quarter.
The sample of exploits was gathered from compromised or malicious Web sites. The report goes on to say that, although many Web-based attacks are designed to probe for multiple vulnerabilities, malformed PDF files are often tried first. There is a slightly curious statement in the Computer World article:
Exactly why hackers choose Adobe as their prime target is tougher to divine, however.
Perhaps this is an attempt to avoid any appearance of bashing Adobe, but I don’t think that the hackers’ choice is tough to divine. All non-trivial software has bugs, and either Reader or Acrobat is a far from trivial program. Large, complex software packages frequently have security vulnerabilities — ask Microsoft if you don’t believe me.
The choice of PDF files as a vector for malware seems to me entirely rational. PDF files are widely used, since they are one of the few fairly portable ways to send a formatted document electronically. Adobe’s own Reader software is available on Mac OS-X, Windows, Linux, and Solaris; there are also many third-party reader programs available. Software to read PDFs, from Adobe or elsewhere, is very widely installed on user PCs, and is also usable as a Web browser plug-in. Since the cost to the Bad Guys of developing an exploit is, to a first approximation, fixed, it makes sense for them to pick a target that provides the largest number of potential victims. The same motivation, I’m sure, is behind the runner-up popularity of image files (e.g., JPG, GIF, PNG) as malware vectors, although they lack the considerable attraction (from the attacker’s viewpoint) of allowing embedded executable content (as PDF does with JavaScript).
So what should the poor user do? One mitigating step, also recommended by Adobe, is to disable JavaScript in its Reader product, except when it is specifically needed for a legitimate reason. It may also be sensible to employ alternative reader software (e.g., Foxit Reader for Windows, XPDF for Linux) on a routine basis. These may not provide all of the functionality of Adobe’s Reader; but that, and the fact that they are less common, might prevent an exploit from working.
Random Walks 