PDF Security: obfuscated code, hackers and other threats

Hackers are finding increasingly inventive ways of exploiting holes in Acrobat.
The same rich content that makes PDF so useful to businesses can also make it a security risk. Embedding links, images, tables and media uses JavaScript and that allows PDF files to be exploited as an attack vector for hackers.

Although security software can scan for malicious code placed directly in the document, there are increasingly complex ways of obfuscating the code to hide the payload from scanners.


The usual defences of keeping browsers, security software and the Adobe Reader software itself up to date offer some protection. Adobe has released an update to address the specific vulnerability that was discovered and you should make sure all users have this.

You could disable the Adobe Reader browser plug-in but this will be so inconvenient for users that it’s not worth doing unless another vulnerability is discovered and you’re waiting for a security update. In Internet Explorer this can be done through the Tools > Manage Add-ons option and in Firefox this can be found under the Applications tab accessed via Tools > Options.

A better solution is JavaScript filtering in the firewall or on a security appliance, although you’ll need to set this up carefully to avoid problems on JavaScript-heavy Web sites, and you may need a procedure for unblocking PDFs with embedded content that users need to work with.

In the end, common sense and education are the best weapons. PDFs have to be specially created to exploit this vulnerability. Make users aware that there is a slight risk with PDF files and that they should treat emailed PDF documents they didn’t request with the same caution they use for other potential threats in email and attachments.

Adobe Security Update:

Adobe Reader Remote Heap Memory Corruption:


Show other articles by this author

Share |
Write comment
security image
smaller | bigger



Subscribe and get the magazine in the post before it's online

Subscribe and get access to all of the back issues

To read a sample eMagazine - March 2010



None of your customers are complaining about viruses, their network being slow or strange things happening on their new PDAs and laptops; is it time to take the afternoon off? Maybe, but before you do, make sure things will look as good next week by making sure you know what you’re defending against. Microsoft has a set of resources at covering the current threat landscape and showing ways to help protect your clients and their customers, including analyses of data collected from millions of users, strategies, mitigations and countermeasures. read more


Unified communications


The #1 Bestseller for Only 77p