Security issues with PDFs are nothing new, as a skim through past Adobe security bulletins and advisories indicates. (This isn’t a criticisim of Adobe: it’s inevitable that security issues will surface from time to time in sophisticated, function-rich software, and Adobe are clearly aware of the need to address the problems as they arise.)
In fact, we pointed in the 2008 End of Year Report (Global Threat Report) to this issue:
"Malware authors are making use of vulnerabilities associated with PDFs and other documents normally assumed to be trustworthy. Many people still seem confused about the fact that some data files contain executable code (as application-specific macros, or as embedded executables), making them potentially vulnerable to infection by malware. While Microsoft Office macro malware has declined in recent years, largely as a result of improved handling of the macro facility in recent versions of the product, data files continue to be used to introduce malware in major attacks like those spearheaded by the NCPH group."
Shadowserver Foundation have just released an interesting note on "a very severe vulnerability in Adobe Acrobat affecting versions 8.x and 9…being actively exploited" and this was closely followed by an Adobe advisory, describing a "Buffer overflow issue in versions 9.0 and earlier of Adobe Reader and Acrobat".
The Adobe advisory is pretty brief. It promises updates to Reader and Acrobat 9 by March 11th and to earlier versions in due course. It also recommends "that users update their virus definitions and exercise caution when opening files from untrusted sources."
Obviously, I’m not about to argue that you shouldn’t update your antimalware definitions. However, I’m not sure you should ever rely on antimalware as your only defence: you may have noticed that we’re great believers here in defence-in-depth. The second recommendation may sound reasonable, but it’s never safe to assume that a file is OK just because it comes from someone you know wouldn’t intentionally send you something malicious. Good intentions are one thing: being the unsuspecting channel for malware dissemination is quite another.
Furthermore, the attacks described by Shadowserver are targeted attacks, not random. It’s common for such attacks to customize the social engineering used to trick the recipient into opening the malicious attachment by making it appear to come from a trustworthy source, so telling us we should only trust people we trust doesn’t really help much. It might be more to the point to tell us not to trust our friends and workmates, unless we know that their knowledge of best security practice and technicalities is up to the mark.
If you do this, though, I’d suggest that you nevertheless keep track of this problem, in case the angle of attack changes. You might want to sign up for Adobe’s security notification service, for instance.
David Harley BA CISSP FBCS CITP
Director of Malware Intelligence
Author David Harley, ESET