PDF Security: obfuscated code, hackers and other threats

Hackers are finding increasingly inventive ways of exploiting holes in Acrobat.
The same rich content that makes PDF so useful to businesses can also make it a security risk. Embedding links, images, tables and media uses JavaScript and that allows PDF files to be exploited as an attack vector for hackers.

Although security software can scan for malicious code placed directly in the document, there are increasingly complex ways of obfuscating the code to hide the payload from scanners.


The usual defences of keeping browsers, security software and the Adobe Reader software itself up to date offer some protection. Adobe has released an update to address the specific vulnerability that was discovered and you should make sure all users have this.

You could disable the Adobe Reader browser plug-in but this will be so inconvenient for users that it’s not worth doing unless another vulnerability is discovered and you’re waiting for a security update. In Internet Explorer this can be done through the Tools > Manage Add-ons option and in Firefox this can be found under the Applications tab accessed via Tools > Options.

A better solution is JavaScript filtering in the firewall or on a security appliance, although you’ll need to set this up carefully to avoid problems on JavaScript-heavy Web sites, and you may need a procedure for unblocking PDFs with embedded content that users need to work with.

In the end, common sense and education are the best weapons. PDFs have to be specially created to exploit this vulnerability. Make users aware that there is a slight risk with PDF files and that they should treat emailed PDF documents they didn’t request with the same caution they use for other potential threats in email and attachments.

Adobe Security Update:

Adobe Reader Remote Heap Memory Corruption:


Show other articles by this author

Share |
Write comment
security image
smaller | bigger



Subscribe and get the magazine in the post before it's online

Subscribe and get access to all of the back issues

To read a sample eMagazine - March 2010



You want the PCs you support to have the right time for more reasons than keeping the users happy; for one thing, if every PC has a slightly different time, finding which version of a file was updated most recently gets much more complicated. Get your head around the Windows Time Service at, get the commands for making a PC get its time from the domain at and if you want a an alternative time server use to get the time from a random time server in the NTP Pool Project (read about the project at read more


Unified communications


The #1 Bestseller for Only 77p