Data on PDF Files Less Secured, Researcher Warns

Bob Styran, IT audit expert
January 04, 2011 /

PDF files, which are standard formats used by most businesses to keep their data presentation consistent across the web and computer environment, proved to be less secure as data displayed in this format can be changed depending on operating system platforms and browser, according to Julia Wolf.

Wolf, a security researcher at FireEye based in California, said in the 27th Chaos Computer Club conference in Germany last week that some functions of PDF files can be easily manipulated to direct attacks to targeted networks. For instance, programs in Acrobat Reader can be executed through database connections with poor security, which can start a scan on a certain network once PDF files are printed using that network’s printer.

This problem with the PDF files has been running for some time now but it went unattended before, Wolf said.

Other problems revealed by Wolf include script languages such as JavaScript, formats like XML, RFID tags and digital rights management, which she said are less secured nowadays in connection to PDF files. JavaScript extensible programming language allows PDF files metadata to be visible for reading and editing, Wolf claimed.

According to Wolf, the fact that PDF files can hide a host of data and codes, making it possible to integrate Flash, audio and video files, supports claims that there are possible points of attacks.

Most software used for IT security purposes such as scanners cannot detect the malware present in PDF files.

In response to these problems found in PDF files, Adobe is planning to mount a memory sandbox feature that will make execution of program codes more secured.

 

1 Comment for “Data on PDF Files Less Secured, Researcher Warns”

  1. Adobe Reader X shipped November 18, 2010 with the sandbox feature among many other security improvements. See http://blogs.adobe.com/asset/2010/11/adobe-reader-x-is-here.html for more details.

    Brad Arkin
    Senior Director, Product Security & Privacy
    Adobe Systems, Inc.

Share your opinion