Security issues with PDFs are nothing new, as a skim through past Adobe security bulletins and advisories indicates. (This isn't a criticisim of Adobe: it's inevitable that security issues will surface from time to time in sophisticated, function-rich software, and Adobe are clearly aware of the need to address the problems as they arise.)

In fact, we pointed in the 2008 End of Year Report (Global Threat Report) to this issue:

"Malware authors are making use of vulnerabilities associated with PDFs and other documents normally assumed to be trustworthy. Many people still seem confused about the fact that some data files contain executable code (as application-specific macros, or as embedded executables), making them potentially vulnerable to infection by malware. While Microsoft Office macro malware has declined in recent years, largely as a result of improved handling of the macro facility in recent versions of the product, data files continue to be used to introduce malware in major attacks like those spearheaded by the NCPH group."

Shadowserver Foundation have just released an interesting note on "a very severe vulnerability in Adobe Acrobat affecting versions 8.x and 9...being actively exploited" and this was closely followed by an Adobe advisory, describing a "Buffer overflow issue in versions 9.0 and earlier of Adobe Reader and Acrobat".

The Adobe advisory is pretty brief. It promises updates to Reader and Acrobat 9 by March 11th and to earlier versions in due course. It also recommends "that users update their virus definitions and exercise caution when opening files from untrusted sources."

Obviously, I'm not about to argue that you shouldn't update your antimalware definitions. However, I'm not sure you should ever rely on antimalware as your only defence: you may have noticed that we're great believers here in defence-in-depth. The second recommendation may sound reasonable, but it's never safe to assume that a file is OK just because it comes from someone you know wouldn't intentionally send you something malicious. Good intentions are one thing: being the unsuspecting channel for malware dissemination is quite another.

Furthermore, the attacks described by Shadowserver are targeted attacks, not random. It's common for such attacks to customize the social engineering used to trick the recipient into opening the malicious attachment by making it appear to come from a trustworthy source, so telling us we should only trust people we trust doesn't really help much. It might be more to the point to tell us not to trust our friends and workmates, unless we know that their knowledge of best security practice and technicalities is up to the mark.

Shadowserver are suggesting that while malicious PDFs seen in the wild are exploiting an unspecified non-Javascript function call, disabling JavaScript in Adobe Reader will mitigate its effectiveness. Reader may crash, but the execution of the malicious code (and consequent theft of data) should be prevented.

If you do this, though, I'd suggest that you nevertheless keep track of this problem, in case the angle of attack changes. You might want to sign up for Adobe's security notification service, for instance.

Shadowserver point out that Javascript can be disabled in Acrobat Reader from Edit | Preferences | JavaScript by unchecking Enable Acrobat JavaScript. This works in all versions of Acrobat and Acrobat Reader that I have access to here,

David Harley
Director of Malware Intelligence