Safe Browsing: 10. PDF Security

Reader Toolbox   Log in for more tools

10. PDF Security

PDFs, not browsers, are the number 1 delivery mechanism of malware on the internet today.

PDF is swiftly becoming the favored delivery mechanism for malware because most PDF readers allow execution of JavaScript without any security controls. Hackers are increasing their efforts to make malware bombs with their PDFs.  Here are a few relevant links:

PDF is a frighteningly effective delivery mechanism for shell code exploits, which explains why hackers are turning to PDFs in a big way. Most users open PDFs inside a browser window. The corrupted file opens and immediately crashes both the PDF reader and the browser. This gives the malware a bigger target for jumping into a usable area of memory. Usually, the browser and the reader will restart automatically without actually shutting down, and now the malware is resident in your browsing session, with full access to whatever you are doing in the browser and able to leverage the unsecured JavaScript engine in the reader.

In short, you're toast.

Securing your PDF reader is more important than securing any other application on your system, and it is not entirely clear that you can secure it. Most users have Adobe Reader installed, though others may be using alternative readers like Foxit. I will focus on the Adobe Reader as it is the one most in use and most susceptible to malware attacks. If you are using a reader besides Adobe, pay attention to the security points and be prepared to adjust comparable settings in your reader.

To secure your PDF reader, you first need to update it, and then go through the Preferences panel to turn off options that are security holes.

Check for Updates

Various security findings, such as the first one linked immediately above and in the Microsoft Security report linked earlier in How Do Exploits Happen?, point out that Adobe Reader, Flash and Shockwave viewers are rarely updated by end users. If you update your OS but don't update your commonly used software, you are still open to attack. Adobe has very recently begun improving their update mechanism to prompt you to update. Unfortunately, they will also force you to update on their time schedule and with little to no information about what they are updating.

To update, open Reader without a PDF, Click Help/Check for Updates. Prepare to have your system taken over for a slow, resource intensive update that requires a system restart.

Ang's Personal Opinion: Adobe updaters are some of the worst in the industry. If they weren't so awful to use, maybe people would update more often. Watch out for desktop and toolbar icons that weren't there before, browser toolbars you didn't install, trial software you did not authorize, and changes to your Adobe product settings you did not select. For example, my most recent update of Adobe Flash in Firefox resulted in the updater installing McAfee anti-virus trial software on my system. Adobe also has the habit of leaving older, insecure versions of their software on your system, which takes up disk space and makes you unsafe.  End opinion.

Adobe Reader Settings

These settings taken together will give you as safe a PDF reader as you can have for Adobe. It locks down features that hackers exploit and makes the PDF warn you when something funny happens.

To begin, open Adobe Reader and click Edit/Preferences in the menu bar. A pop up window will open. The left hand column has categories. Click on the category to change the main screen. Working from top to bottom in the categories:

Documents

  • Check "Open cross-document links in same window".
    This prevents unnoticed spawning of new windows for malicious code.
  • Uncheck "Allow documents to hide menu bar, toolbars, and window controls".  
    Don't allow Reader to limit your control of the program.

General

  • In the Application Startup section of the General page, check "Use only certified plug-ins."
    Why take risks? At worst, you'll be notified the document you are trying to view wants to use uncertified plug-ins.

Forms

  • Uncheck "Always hide forms document message bar."
    If the form is sending you a message, you want to see it.

Internet

  • Uncheck "Display PDF in browser." 
    Keeping the PDF out of the browser keeps a malicious document from executing inside the browser window, possibly crashing it and/or taking control of the memory the browser is using.
    NOTE - Doing this disables "Allow fast web view" and "Allow speculative downloading in the background", which only function if you are using a browser to view the file.

JavaScript

  • Uncheck "Enable Acrobat JavaScript".
    Most PDF exploits use JavaScript. Very few PDFs make legitimate use of it. Just turn it off.

Enhanced Security

  • Check "Enable Enhanced Security."  
    This setting works with the next setting to control what can access files on your system. You need to set them both.

Trust Manager

  • Uncheck "Allow opening of non-PDF file attachments with external applications."
    This is a partial fix to prevent a malicious PDF from opening up embedded code that calls other applications.
  • Make sure that Internet Access is set to "Unless explicitly permitted, PDF files cannot send information to the Internet." If it does not say this, click the "Change Settings…" button and set the values to "Let me specific a list of allowed and blocked web sites," and "Always ask".
    This is to prevent a malicious PDF from sending information about you out to other systems, such as keystrokes or system information.

Updater

  • Set your updater to either "Automatically install updates" or else "Automatically download updates, but let me choose when to install them". 
    Make the setting match your usual update preferences.


This is a work of fan fiction, written because the author has an abiding love for the works of J R R Tolkien. The characters, settings, places, and languages used in this work are the property of the Tolkien Estate, Tolkien Enterprises, and possibly New Line Cinema, except for certain original characters who belong to the author of the said work. The author will not receive any money or other remuneration for presenting the work on this archive site. The work is the intellectual property of the author, is available solely for the enjoyment of Henneth Annûn Story Archive readers, and may not be copied or redistributed by any means without the explicit written consent of the author.

Story Information

Author: Anglachel

Status: General

Completion: Complete

Era: Other

Genre: Research Article

Rating: General

Last Updated: 06/19/10

Original Post: 06/14/10

Go to Safe Browsing overview

Comments

No one has commented on this story yet. Be the first to comment!

Comments are hidden to prevent spoilers.
Click header to view comments

Talk to Anglachel

If you are a HASA member, you must login to submit a comment.

We're sorry. Only HASA members may post comments. If you would like to speak with the author, please use the "Email Author" button in the Reader Toolbox. If you would like to join HASA, click here. Membership is free.

Reader Toolbox   Log in for more tools