Enterprise PDF attack prevention best practices

Malicious PDF exploits are at an all-time high. Should enterprises dump PDFs altogether? Expert Michael Cobb answers that question and offers his key enterprise PDF attack prevention tactics.

Given the wide deployment of Adobe Systems Inc.'s Adobe Reader (formerly Acrobat Reader), it's not surprising that hackers often target this software and the PDF files it uses.

Few typical enterprise users need to have administrator rights on their PCs. This makes it a lot harder for an attacker to take complete control or cause widespread damage via a PDF exploit.

What's of real concern though is the number of vulnerabilities that attackers uncover and their rate of success at exploiting them. According to McAfee Inc. Avert Labs, as of Q1 2010, malicious malformed PDF files are now involved with 28% of all malware directly connected to exploits.

So how do you protect your organization against PDF-based attacks? Should you block the use of PDFs altogether? That's what we'll focus on in this tip.

Taking that second question first, the use of PDFs as a means of information sharing is so widespread that for most organizations it would require major changes to internal applications, policies and procedures to effectively halt the internal use of PDFs. Since most other companies will continue to use PDFs for the foreseeable future, your organization would face the problem of how to distribute and share information with third parties. Realistically, because they are essential to normal business operations, the use of PDF files represents a necessary risk. This means that organizations need to implement and enforce best practices for handling PDF files.

To do this, first create an acceptable usage policy, which should clearly state that under no circumstances should PDF documents from unknown sources ever be opened. PDF-based attacks are reliant on the victim opening an infected PDF, so banning users from opening PDFs attached to spam or unexpected emails will greatly reduce the risk of infection. Such an action will have to be backed up by security awareness training sessions that focus on the sections of your security and acceptable usage policies that cover email and email attachments. A few wall posters highlighting the potential dangers of infected attachments wouldn't go amiss either.

But what if the email appears to have come from a colleague? Your policy should state that if the attachment was unexpected, the recipient should verify its authenticity with the sender prior to opening it. This can seem tedious, but senders could notify recipients that they are sending a PDF with a short message prior to sending it.

Another PDF attack vector is to trick users into visiting a malicious website, which invokes Adobe Reader to open an infected PDF document. Your acceptable usage policy and security awareness training should hopefully stop people from clicking on Web links in unsolicited emails, and your antivirus software should provide some form of URL filtering to alert users should they inadvertently browse to a known malicious site. However they still may accidentally come across a malicious site in the course of their day-to-day tasks.

In order to ensure that the user is warned before a PDF is opened by their browser, instruct users to set the way PDFs are handled. For example, with Firefox, this change can be made in the Tools>Options>Applications tab by changing the setting to "Always ask."

Some question whether it is necessary to enable executable code embedded in a PDF document, or any type of document file for that matter. Realistically, it's unlikely that many users would miss this functionality if it were disabled; it is still possible to read a PDF document without JavaScript. If you feel your organization can do without it, disabling JavaScript within Adobe Reader will help prevent some of the more common exploits.

This kind of PDF attack -- and many other types of attacks as well -- can be successfully thwarted by ensuring that users aren't logged on to their systems with unnecessary elevated privileges. Few typical enterprise users need to have administrator rights on their PCs. This makes it a lot harder for an attacker to take complete control or cause widespread damage via a PDF exploit.

Obviously these security measures need to be augmented with regular patching and up-to-date antivirus, antimalware, and URL and spam filters, which should help stop all but zero-day attacks reaching your users. Adobe has changed its approach to software security and is now modeling its Secure Product Lifecycle on Microsoft's Secure Development Lifecycle. It is also considering moving to a monthly patch cycle for Reader and Acrobat. These are positive developments, and hopefully the benefits of these changes should lead to a more secure set of products in the future, but in the meantime it's critical to adopt the PDF security best practices noted above to mitigate the potential dangers of using PDF documents.

About the author:
Michael Cobb, CISSP-ISSAP is the founder and managing director of Cobweb Applications Ltd., a consultancy that offers IT training and support in data security and analysis. He co-authored the book IIS Security and has written numerous technical articles for leading IT publications. Mike is the guest instructor for several SearchSecurity.com Security Schools and, as a SearchSecurity.com site expert, answers user questions on application security and platform security.

This was last published in June 2010

Dig Deeper on Application attacks (buffer overflows, cross-site scripting)