Are PDF files safe to open? It depends. Don’t you hate when security people say things like that?
There are risks involved with PDF files, but you probably also can’t avoid PDFs entirely. So here’s what you can do to work with PDF files safely.
Are PDF files safe?
The problem with the PDF file format is that it allows so many different types of data. That’s also the reason people love it. You can create the document using whatever combination of exotic tools you want, then send it to someone, and it will look exactly as you intended under the best circumstances. Under the worst circumstances, it still looks a lot better than other file formats.
It’s also exceedingly difficult to tamper with them. When I worked for a security vendor, all the quotes I sent out were in PDF format. That kept a potential customer from changing the numbers and sending them back to me to try to give themselves a discount. Project managers use PDFs for the same reason, so when someone commits to something, it’s difficult for someone to change it. While it’s possible to import a PDF into certain programs and make changes, matching the formatting exactly is usually impossible.
That’s why PDFs are so popular. And it’s difficult to escape them. When you apply for a job, file any official form with the government, or fill out forms with HR at work every year, chances are some or all of them will be PDFs.
The problem with PDFs
The problem with PDFs lies with the programs we use to view and print them. Adobe Acrobat and Adobe Reader (also known as Acrobat Reader) are among the most notoriously insecure pieces of software in existence. As a vulnerability management professional who works with large companies to secure their networks, when I see a system with more than about 50 vulnerabilities, I always assume it’s been a while since the company updated Adobe Reader. When I look at the scan results, I’m usually right.
There are several alternative PDF readers that are faster and smaller than the bloated Adobe Reader, but those tend to have a fair number of vulnerabilities in them too, so you still have to keep them up to date. The alternative viewers can fly under the radar since not a lot of people are familiar with them.
Notably, PDF is one of the files the U.S. government doesn’t allow to be passed back and forth between classified and unclassified networks, because the NSA deems the file format too risky for that. It’s too easy to embed malicious software and evade antivirus software with it.
If the NSA that careful with PDFs, you should be too.
How to know if someone tried to hack you via a PDF
It’s hard to know for certain, since Adobe Reader can crash innocently. But if you open a PDF file, especially if someone sent it to you as an email attachment, and Adobe Reader instantly crashes, there’s a possibility that it was a malicious document. If that happens, try opening a different document that came from someone you trust (inside your company, or, say, any official form from IRS.gov) and see if Reader behaves. If that form also crashes, you need to reinstall Reader. But if that file works fine but the other file doesn’t, be suspicious. If this happens at work, call your helpdesk, and be ready to send the suspicious file to your security department’s incident response team, your company has one.
Security guys like me throw the word “exploit” around a lot but usually don’t explain it very well. An exploit is a bit of corrupt data that causes a program to crash, but it maintains control just long enough to get the program to run some malicious code in the process. The malicious code could do anything, but a common trick is to make it give the attacker a command prompt on your system from a remote computer. So when you open the malicious file, Adobe Reader crashes, but the malicious code runs and your antivirus program will probably never be the wiser.
How security professionals view PDFs safely
Security professionals don’t use Adobe Reader if they can help it. My current employer and my previous employer are both security companies, and neither company installed Adobe Reader on the laptop they provided me. They expected me to use Google Chrome to view PDFs.
There are things you can do to make Adobe Reader safer, like disable Javascript to reduce its attack surface. But frankly it’s a lot safer and easier to just use Chrome.
Chrome has security flaws too, but Google fixes them much faster than Adobe does, and Chrome auto-updates reliably. Chrome collects a lot of data, but much of that data is crash data, which allows Google to find and fix security issues very rapidly. I use Chrome to view PDFs and I recommend you do too.
So are PDF files safe to open? If you use Chrome they are.
David Farquhar is a computer security professional, entrepreneur, and author. He started his career as a part-time computer technician in 1994, worked his way up to system administrator by 1997, and has specialized in vulnerability management since 2013. He invests in real estate on the side and his hobbies include O gauge trains, baseball cards, and retro computers and video games. A University of Missouri graduate, he holds CISSP and Security+ certifications. He lives in St. Louis with his family.