The problem for PDF is its sheer popularity as a universal medium for sharing data and intellectual property. As a freely available standard, many developers have produced their own PDF tools, creating an even larger pool for attackers. A common attack vector is to feed the system corrupt files seeking to make it crash. When this happens it is sometimes possible to insert malicious code to run on the system. This can lead to the installation of further malware able to steal data, destroy files or infiltrate deeper into the system.
Adobe lists a series of defense mechanisms that should be present in any PDF application. These include an application sandbox, data execution protection including non-executable memory and safe structured exception handling, address space layout randomization, and stack cookies. All of these should be present in any PDF solution, says Adobe. “A solution with just a few of these features does not provide the level of security that all these features combined can provide.”
Adobe also points out that evaluating the product alone is not sufficient. Applications and security change so fast that it is difficult to keep up – and for this reason it is equally important to evaluate the supplier’s security stance. Attitudes towards software development and testing, patching policy, post release support and response to bug discovery should all be considered.
A third-party comparison produced by iSEC at the end of last year demonstrated how well or badly the security principles are implemented by 12 different PDF applications. Adobe’s Reader X and Acrobat X were forced to crash 7 and 13 unique times – but not once was the crash classified as exploitable. “By comparison, other PDF readers crashed up to 134 unique times, and other PDF writers crashed up to 132 unique times on a large corpus of test PDF files,” says Adobe. Of these, some non-Adobe readers “experienced up to 16 exploitable crashes, and some PDF writers experienced as many as 22 exploitable crashes.”
“Because the PDF file type can be used for attacks, the days of licensing and deploying the lowest-cost PDF tool – without careful scrutiny of security – are long gone,” warns Adobe. “When an organization’s reputation and survival depend on the ability of their security defenses to stay strong in the face of repeated attacks, it’s critical that they hold application vendors to a higher standard.”