PDF Security – Avoiding Exploits

by on Nov 7, 2008 | 5 comments

It seems like in the past couple of weeks a lot of security risks are popping up. So to add to the list, I read about a critical security risk with Adobe Reader versions 8.1.2 and lower (this exploit is not applicable to version 9). The vunerability comes from the use of JavaScript inside the PDF file:

Engineers from CoreLabs determined that Adobe Reader could be exploited to gain access to vulnerable systems via the use of a specially crafted PDF file with malicious JavaScript content.

My first thought is why does a PDF document even need JavaScript? I seriously cannot think of a single reason a PDF document would need this ability. Perhaps I have opened PDF’s in the past which had JavaScript in them and I didn’t know it, but overall I just use a PDF reader to open “static” documents.

To avoid issues such as this, just use a ‘simple’ PDF viewer, such as Foxit Reader which is not effected by this exploit. If you do need the additional functionality of Adobe however, just make sure you keep it updated.

Free eBook!

Like what you read?

If so, please join over 28,000 people who receive our exclusive weekly newsletter and computer tips, and get FREE COPIES of 5 eBooks we created, as our gift to you for subscribing. Just enter your name and email below:

Post A Comment Using Facebook

  • SAP

    I have seen a PDF file containing some forms to fill in.

    There was some scripting involved which checked that the appropriate fields had been completed. Perhaps that is what Javascript is for.

    One advantage of using JS rather than inventing a new scripting language is that people don’t need to learn a new language.

    However, JS *should* have been added in such a way that it could only be used to affect elements within the PDF.

  • SAP

    I’ve just noticed that the Net Security article cited in the article specifically says that the Adobe Reader bug is the same as the previously discovered bug in FoxIt.

    Foxit *was* affected by the bug (CVE-2008-1104), but it was fixed some time ago.

    So presumably Foxit Reader does support Javascript.

    Though it is much smaller and quicker to load than Adobese Reader.

  • John Kirkham

    Same as SAP said but I thought this problem was only tested & found in Foxit first up in the last week.

  • http://jrpcrepair.com Joel

    Even the exploit doesn’t affect Adobe Reader version 9 is good to disable JavaScript just in case. About FoxReader there must be a way to disable JavaScript also or at least another version that covers this hole.

  • http://www.wellsfargo.com Steve RJ

    Early versions of Foxit reader did not support javascript. I know this because our company tested LockLizard viewer for secure PDF files, which we were told was based on the Foxit version 1 SDK, and javascript is not supported. In fact all active content is prevented from loading, but it only works with LockLizard protected PDF files. I guess we are back to the age old question of security vs usability…

What’s Your Preference?

Daily Alerts

Each day we send out a quick email to thousands of PCMECH readers to notify them of new posts. This email is just a short, plain email with titles and links to our latest posts. You can unsubscribe from this service at any time.

You can subscribe to it by leaving your email address in the following field and confirming your subscription when you get an email asking you to do so.

Enter your email address for
Daily Updates:

Weekly Newsletter

Running for over 6 years, the PCMECH weekly newsletter helps you keep tabs on the world of tech. Each issue includes news bits, an article, an exclusive rant as well as a download of the week. This newsletter is subscribed to by over 28,000 readers (many who also subscribe to the other option) - come join the community!

To subscribe to this weekly newsletter simply add your email address to the following field and then follow the confirmation prompts. You will be able to unsubscribe at any time.

Enter your email address for
Free Weekly Newsletter: