Last Updated on August 21, 2017 by Dave Farquhar
I said Tuesday that it’s a bad idea to download and view PDF (Adobe Acrobat/Adobe Reader) documents from questionable sources, but I didn’t really elaborate on why, nor did I tell you how to view questionable PDFs safely.
The reason is that pretty much anybody with a little bit of determination and the ability to follow a recipe can plant a trap in a PDF file and use it to gain access to your computer. Adobe Reader is extremely prone to these kinds of attacks, and don’t think you’re safe if you don’t run Windows. There are toolkits that will inject traps that work on Macintoshes and Linux too.
Yes, your antivirus software should catch it. But most antivirus software doesn’t dig deeply enough into PDF files to find it.
Scared yet? You should be. You do have some options.
The big thing is to use something other than Adobe Reader to read PDF files. I recommend Google Chrome, as Google is faster about finding and fixing security issues and automatically updating. I used to recommend Foxit reader but not for security purposes anymore. Once Foxit attained popularity, people started finding security issues in it too.
Chrome can be picky about PDF filenames. Other than that it’s a great choice.
Alternative tools have most of the functionality of Adobe’s product, though they don’t always print as nicely as Adobe’s own. But if you care in the least about keeping your computer secure, never open PDFs from strangers using Adobe’s products.
For an extra layer of protection, run Windows 10. If you can’t run Windows 10, install EMET.
Microsoft has a reputation for writing extremely insecure software, but their track record has improved greatly over the last half decade or so. Adobe is in the position today that Microsoft was in around 2003 or 2004, and since most computers have at least Flash and the Adobe Reader installed, it’s a very effective method of attack.
Think like a bad guy for a minute. What easier way is there to build a collection of compromised computers to use to build a botnet? Just get a bunch of scanned books, plant software in them, and re-upload them. People will download them, and all they have to do is open the file once, and you have full control of their computer. Simple and effective.
Selling infected computers is a huge, profitable underground industry. It’s more profitable than sending spam, takes less work, and it’s harder to get caught.
David Farquhar is a computer security professional, entrepreneur, and author. He started his career as a part-time computer technician in 1994, worked his way up to system administrator by 1997, and has specialized in vulnerability management since 2013. He invests in real estate on the side and his hobbies include O gauge trains, baseball cards, and retro computers and video games. A University of Missouri graduate, he holds CISSP and Security+ certifications. He lives in St. Louis with his family.