Opinion: Collaborative effort needed to curb PDF security threats

By Thomas Park, General Manager of Korea Operations at Foxit Software
Feb. 2, 2023 8:10PM KST Updated Feb. 10, 2023 2:17PM KST

Portable Document Format (PDF) security is critical in today’s digital age because PDF is widely used as a standard for sharing documents with external parties. Created by Adobe’s founder in 1993, PDF has become a dominant file format for digital communication over the past 30 years. However, its ability to contain objects and files, while also allowing for the integration of XML or JavaScript, makes it a favored tool among threat actors, who use it as a decoy for payload downloading. It is for this reason that many cybersecurity experts jokingly say that “PDF” stands for “Payload Download Files.” Email recipients should be vigilant when opening attachments, as sophisticated phishing emails are a common tactic and the most widely used fake document is the PDF.

With Acrobat dominating the market, hackers targeted its security vulnerabilities. As Foxit gained market share, cybercriminals shifted their focus to attacking Foxit Reader, which is used by over 200 million people. In the past 5 years, more than 500 security vulnerabilities have been reported for both Adobe and Foxit, including those recorded in the Common Vulnerabilities and Exposures (CVE) database. While there are numerous other PDF readers on the market, hackers continue to focus on these two products due to their widespread use.

Cybercriminals often gain access by executing code or causing memory overflow, according to CVE reports. Many cases involving the addition of malicious links or objects are not included in these statistics, as reporting them is not necessary.

It is important to note that the majority of vulnerabilities are not unique to major players in the PDF industry, which includes over 300 companies. As a result, all PDF vendors should promptly address security holes and issue patches through “Security Bulletin” notifications. Enterprise IT administrators should verify if their company uses a PDF solution from an unnamed vendor that does not have a security bulletin system in place. In 2022, Foxit released 6 patches to address 116 issues, while Adobe released 5 patches to resolve 125 issues.

PDF readers often share common objects, modules, and image filters. If one component is compromised, the entire product is at risk. Hence, when a security vulnerability is detected in Acrobat or Foxit, it is likely that other unnamed PDF readers are also affected. In closed network environments where updates are not allowed, many on-premise PDF programs remain unsecured. A single point of infection, such as a malicious code, can compromise the entire system if it infiltrates the organization.

◇ Why has PDF become a prime target for hacking?

PDF is a popular target for hacking due to its widespread use as a file sharing format and its ability to integrate objects, JavaScript, and XML. JavaScript in PDFs can be used to execute code on a user’s device. If a vulnerability is present in either the JavaScript or the PDF viewer, an attacker may be able to gain access to the user’s device or network. Hackers can manipulate JavaScript to redirect users to phishing websites, ultimately tricking them into downloading and installing malware on their device.

Embracing XML offers users the ability to create interactive and multimedia-rich documents. With XML integration, PDFs can include metadata, FormData, and multimedia elements such as audio and video. However, it is important to note that improper use of XML can also introduce serious vulnerabilities. With the growing emphasis on digital transformation, PDF has the potential to expand its reach through its support for XML, bringing both benefits and potential security risks.

◇ Who are the good guys?

The Trend Micro ZeroDay Initiative has played a significant role in patching vulnerabilities, accounting for nearly 30% of reported security hole discoveries. Other sources such as CNVD also make valuable contributions. However, the CVE database is considered to be only the tip of the iceberg, as many malicious actors choose to keep their exploits hidden in order to continue utilizing them for gain.

◇ How can we prevent attacks?

To ensure the security of a PDF reader, it is important for users to keep the program up to date. The Chief Information Security Officer (CISO) should regularly check for updates and apply any relevant patches as advised by the software’s security bulletin.

Perhaps most importantly, it is crucial for users to exercise caution when opening PDF files from untrusted sources or unexpected emails, and IT managers can help to enhance security by implementing regular internal training sessions in simulated environments. Another method for increasing security is to open PDF files in a sandboxed browser or virtualized environment. The use of browser extensions, such as NoScript or uMatrix, to block unwanted scripts and reduce attack surfaces is also advisable.

To limit the resources that a browser can load and execute, CISOs may implement a Content Security Policy (CSP). A Web Application Firewall (WAF) can offer monitoring and protection against both known and unknown web-based threats, such as SQL injection and cross-site scripting (XSS) attacks.

Furthermore, browser isolation technology can insulate the browser from the underlying operating system, providing protection against malware penetration and safeguarding sensitive data. The market includes a range of browser isolation vendors, including Ermind and Menlo. Organizations may also adopt the Content Disarm and Reconstruction (CDR) tool to sandbox files. This approach involves breaking down a PDF file into its constituent parts, analyzing each component for potential security threats such as malware, malicious links, and scripts, and then reconstructing the file using only the safe components.

◇ What effort should be made by PDF vendors?

PDF vendors should focus intently on producing secure, enhanced code. The OWASP Top Ten Project offers guidance on the most pressing web application security risks. Organizations should also actively listen to the community for security vulnerability reports and implement incentive programs to motivate community participation.

Another option is to implement an early warning agent program from a third-party provider. Similar security enhancement utilities have been adopted by Hangul Word Processor (HWP) for pre-checking infected or modified files. When a user attempts to open a file, the third-party utility program checks for safety and only passes the process to the user if the file is verified as safe.

However, it is important to keep in mind that even with secure coding practices and the use of top libraries, PDF files can still be vulnerable due to external factors such as the PDF reader version being used or the environment in which the file is opened.

In conclusion, PDF remains a crucial medium of digital communication and will continue to dominate the digital world, thanks to its neutral management by the International Standards Organization. The ability to hold all types of digital assets is critical for PDF developers. But as the technology evolves, so too does the risk of hacking, leading to an ongoing arms race between hackers and vendors.

To ensure secure usage of PDF, users should seek out trusted vendors who offer timely patches in partnership with community research and an in-house security team dedicated to secure coding practices. Organizations should also provide access to secure products and internal security training.

To mitigate the security risks associated with PDF, a collaborative effort is needed among PDF vendors, white hat hackers, security solution providers, and users.

thomas_park@foxitsoftware.com Follow the author

The content of this article was copyedited by Nate Galletta.

About the author

Thomas Park is the Korea General Manager at Foxit Software Inc., based in Fremont, California. He previously served as Country Manager at Trend Micro for 10 years, where he led the development and marketing of the anti-advanced persistent threat (APT) solution, Deep Discovery. Prior to that, he was the founder and CEO of Hancom Linux.