PDFs account for 80% of all exploits in 2009

Robert Hallock 18 Feb, 2010 at 1:22pm ET Article published in Tech

Security firm ScanSafe announced on Tuesday (PDF) that Adobe’s PDF document format was the target of 80% of all exploits in 2009.

According to the California company, vulnerabilities in Adobe Reader and Adobe Acrobat were the most-exploited software in 2009, growing from 56% in 1Q09, to 80% in 4Q09.

“When malicious exploit code was encountered in 2009, vulnerabilities involving malformed PDF files (Adobe Reader / Adobe Acrobat) were the most frequently targeted, followed by vulnerabilities in Adobe Flash,” the report reads. “Interestingly, as the rate of malicious PDF files increased in 2009, the rate of malicious Flash files decreased throughout the year.”

“The problem of recent surges in Adobe vulnerabilities has become of concern to many officials, prompting an unprecedented warning from Stephen Northcutt, president of the SANS Technology Institute, In the August 4, 2009 issue of SANS Newsbytes, Northcutt warned: ‘I think organizations should avoid Adobe if possible. Adobe security appears to be out of control, and using their products seems to put your organization at risk. Try to minimize your attack surface. Limit the use of Adobe products where you can.'”

Adobe’s security issues are further highlighted by the Common Vulnerabilities and Exposures (CVE) database, which shows a dramatic rise in reported flaws. In 2009, 107 Abode vulnerabilities were logged into CVE. That figure is nearly double the 58 added in 2008 and almost triple the 35 reported in 2006.

The surge in vulnerabilities, the report suggests, is owed to the continued widespread use and acceptance of PDFs at home and in the workplace.

Nevertheless, ScanSafe has tempered its report by noting that malware authors exploit the path of least resistance. With malware a growing, multi-billion dollar industry in 2009, and Adobe products and documents on the rise, it was a practical inevitability that the firm would be pulled into the crossfire.

Comments

18 Feb 2010 ~ 3:53pm Annes I wish I could say I was surprised, but I'm not. I really wish I could get everyone in my company to use Foxit instead, but some of the silly vendors we use require it (I can't find a way around it, either.)

But if PDFs are the exploited, does the reader really matter?
18 Feb 2010 ~ 4:02pm Thrax The PDFs exploit flaws in the reader, so I can presume that it does matter.
18 Feb 2010 ~ 4:03pm GHoosdum I think it does matter, most of the web exploits are browser-specific... these PDF exploits are probably reader-specific. But that's just a guess.
18 Feb 2010 ~ 11:55pm Komete Hrmmm... So should I get rid of adobe reader and go with Foxit?
19 Feb 2010 ~ 12:01am GHoosdum I recommend it for the performance-robbing potential of Adobe alone. I honestly had no idea about the exploits until this post.
19 Feb 2010 ~ 7:28am mirage Unfortunately Foxit does not work well with text selection tool and PDF forms for me. I recently went back to Adobe reader. I have disabled Java scripts and file attachments in the PDF files for security. Also disabled the two startup programs (AdobeARM and Speed Launcher). Version 9.3 is working fine for now and I do not see any speed difference compared to Foxit.
19 Feb 2010 ~ 12:19pm DrLiam I too have had a lot of problems with Foxit. There would be some pdfs that would refuse to open or foxit's editing tools would refuse to work. Yet the biggest problem for me was the embedded version for firefox, terrible. Six times out of ten the embedded foxit would either crash or the tools would not work. (Meaning I could not print!)
19 Feb 2010 ~ 12:23pm Thrax FoxIt has been a dreamy dreamboat of a PDF reader for me. I've been using it for years, and I'll never go back.
19 Feb 2010 ~ 12:47pm mirage

DrLiam wrote:

I too have had a lot of problems with Foxit. There would be some pdfs that would refuse to open or foxit's editing tools would refuse to work. Yet the biggest problem for me was the embedded version for firefox, terrible. Six times out of ten the embedded foxit would either crash or the tools would not work. (Meaning I could not print!)

With both readers, I disable the Firefox plugins as well. If there is a link to a PDF file, it should open in the PDF viewer's window. I hate it, really hate bloated software. Just a PDF viewer, and it marks every spot of my OS like a dog.
23 Feb 2010 ~ 1:17am Lightzout I wonder how well Sumatra performs against these exploits. I love it. Windows 7 & Firefox open source (FREE) software that works with a simple UI, yes it does exist.
23 Feb 2010 ~ 10:10pm Annes Foxit is quickly falling from my good graces with its increasing size and resource use. The attempts to install toolbars and add an ebay link to my desktop don't help, either.

Does anyone here use Sumatra?
23 Feb 2010 ~ 11:32pm Linc This is accounting for number of exploits, not percentage of actual exploitation, right? So 80% of documented exploit methods may have targetted PDF, but that doesn't mean 80% of people who got pwnt had it happen through PDF. I'd be interested to see what those numbers are before I got all uptight about what reader I'm using.
23 Feb 2010 ~ 11:34pm Linc How awesome is it that the linked report is a PDF?

I AM SCARED.
24 Feb 2010 ~ 12:03am GHoosdum

Annes wrote:

Foxit is quickly falling from my good graces with its increasing size and resource use. The attempts to install toolbars and add an ebay link to my desktop don't help, either.

Does anyone here use Sumatra?

I used Sumatra for a while before switching to Foxit, and I found it to be too lightweight. Since it didn't install anything to the registry, there was no file association, so opening any PDF with Sumatra was a matter of saving the PDF, loading Sumatra, then opening the PDF from inside the program.

It may have improved since then. It certainly didn't have a problem displaying the PDFs.

I agree with you that Foxit has too many associated stuff trying to install now.