PDF Security Problem Becomes a Top Risk in May

Sue Marquette Poremba

I suppose I don't need to say that there are a lot of security risks lurking around our computers. But as Fortinet's May Threat Landscape report shows, you can never let your guard down when it comes to data security.


PDF used to be a trusted application, but I suppose "trusted application" is a term that doesn't mean much these days. In April, Adobe Acrobat issued a security risk alert that stated:

The attack leverages Adobe Acrobat and Reader's ability to launch other content and applications. Strictly speaking, the new attack vector isn't a flaw in Adobe's software but rather relies on social engineering to trick users into clicking on something they shouldn't, which could lead to arbitrary code execution.

Didier Stevens, who first reported the problem , said:

With Adobe Reader, the only thing preventing execution is a warning. Disabling JavaScript will not prevent this (I don't use JavaScript in my PoC PDF), and patching Adobe Reader isn't possible (I'm not exploiting a vulnerability, just being creative with the PDF language specs).

(Note that Adobe has provided strategies to mitigate the problem while working on a fix.)


Because so many rely on PDF files for business use, perhaps it is no coincidence that Fortinet showed a new PDF exploit, PDF/Pidief.BV!exploit, being circulated in high volume through an ongoing spam campaign. (And Adobe released another security alert about PDF Reader today.)


Said Derek Manky, project manager, cyber security and threat research:

What sets PDF/Pidief.BV apart from other PDF threats we are seeing, is that it requires user interaction. More specifically, a user needs to click on the open' button when prompted by a dialog box to initiate the infection. This threat is another reason why it's imperative for users to carefully read these types of messages when they appear.

Add Comment      Leave a comment on this blog post

Post a comment





(Maximum characters: 1200). You have 1200 characters left.




Subscribe to our Newsletters

Sign up now and get the best business technology insights direct to your inbox.