Something as simple as opening a PDF file can infect your computer, and potentially allow malicious hackers to gain access to your corporate network.
Cybercriminals create boobytrapped PDF files, exploiting vulnerabilities in PDF reading software such as Adobe Reader, and either spam them out to unsuspecting victims or plant them on websites where they lie in wait for visitors.
Just the simple act of opening the PDF file can exploit a vulnerability to automatically download malicious code from the internet, and display a decoy PDF file to trick you into believing that nothing wrong has happened.
Check out the following video by our own Chet Wisniewski, showing how a PDF can help hackers pwn your PC:
(Enjoy this video? Check out more on the SophosLabs YouTube channel.)
Hopefully videos like this will help remind people of the importance of keeping applications like Adobe Reader updated with the latest security patches, and not just their operating system.
If you want to learn more you can subscribe to our YouTube channel for similar videos. But even better than that, we hold regular “Anatomy of Attack” events where we demonstrate malware threats and you can meet Sophos experts face-to-face.
If there’s not an “Anatomy of Attack” event scheduled in your area soon, drop us a note and we’ll let you know if and when one is coming to your neck of the woods.
15 comments on “How PDFs can infect your computer via Adobe Reader vulnerabilities [VIDEO]”
Thanks for the very helpful information. I have learned more about PC security from SOPHOS than everyone else combined. Are you guys ever going to release a complete security software package like Norton 360 for the home user? Thanks for all the great tips.
A few years ago, I stopped using Adobe Reader due to the bloat, resource usage & the endless security flaws. I found Foxit Reader to be more streamlined & doesn't run when not in use if set up properly. I don't allow scripting etc & have it set up not to open pdf's while browsing. I know there's still risks, but as an older person who just uses the internet via one home pc & not shared, I think it's about as good as I can get it, as far as safety is concerned. I don't surf the kind of sites known for malware, although I know any site can be infected.
I have a routine each day before I start browsing, to update my security programs, then check FileHippo for new updates to programs I have installed. I also use Secunia's PSI program & have for a long while & the scores come up as 100%.
I think a good practice is to only have programs installed that are actually used & not just sitting there taking up space & likely not updated since they can easily be forgotten about. It helps a little to cut down on risks & may free up some resources too.
To be honest, I'm not sure why the average person that uses a pc for simple tasks needs a program as bloated as Adobe Reader.
Adobe Reader, Flash & Java hopefully in time will be replaced with safer alternatives, until then, I try to be careful about the settings on each.
I enjoy the daily topics by the way, thanks.
Incomplete article. Where is the discussion of the alternatives? Foxit Reader and SumatraPDF are both listed on Ninite.com which I always recommend to friends who get a new PC.
Well done. Very helpful. Video demos are the way to go for this kind of thing.
just uninstall the Adobe bloatware and use Foxit instead. it's faster and was built with a 'sandbox' which is turned on by default
Have I understood this correctly? Chet seemed to say that, because the malware was signed before the certificate's expiration date, it would continue to be counted as valid even when the certificate is subsequently revoked.
If that is how things work, it's not good. We can shut the stable door after the (Trojan) horse has bolted, but can't send the beast to the glue factory.
Thanks for the demo on the Adobe reader attack, excellent demo; just goes to show antivirus, firewalls and all protection applications need to be constantly kept <up to date>. I think its time to make all email's tracable back to source or they just does get delivered, shame we cannot get server to scan attachments for valid certificates.
The more we learn the more difficult it makes for professional and amateur virus writers.
I think governments should consider making hardware manufactures to be forced to install GPS systems into motherboards and processors so we can trace location of sender by difference between ethernet and GPS receiver times; we have advanced mobile detection now we need tracability on computers.
I think the author and demonstrator was saying if you do not have the latest updates installed, then your computer security certificates will be out of date, hence the virus runs and the chance the old certificate will still think it is valid. Updating all user applications on your computer with latest patches ensures all security certificates are <up to date> so your security systems knows if an old invalid or compromised centificate is used and it should been rejected and should be automatically reported to your security provider.
I'd like some clarification on the process of updating certificates. I know that there are new CRLs distributed as part of Windows updates – are these the only ones which are needed? Chet referred to downloading a list from Verisign – was that just because it was easier to check the serial number or is that something we need to do?
I use Evince with my Debian install, and i don't even worry about this nonsense. Of course, I don't worry about it anyway since i don't own an open door to attacks (Windows) or don't allow it online if I do.
Usually I don’t watch these because I can’t hear the sound. However, I was very happy to see the “CC” button and turned on closed captioning. But then I was totally disappointed once again because almost 10%-20% of the words were totally meaningless. Like this phrase at 1:24 in the video: “was a pediatric bark off clinic from david live better that’s going to be”. I tried to watch (read) the remainder of the video, but it only got worse. Really? That’s the BEST you can do? I was hoping to learn something today, which I did, mostly from the comments section.
But thanks for trying, maybe next time you’ll pay more attention to your work product. How about just a simple transcript for those of us who know how to read.
Apologies about that – it's probably Google's automatic voice-to-speech converter. YouTube seems to enable its own, unverified machine transcripts by default these days.
(As an aside – transcripts sound "simple", as you say, but they take ages to do properly. None of us here at Naked Security is a stenographer, so we type much more slowly and inaccurately than we speak. I know that's not an explanation – more of an excuse – but there you go 🙂
OK. Try now. I created a somewhat better transcript and uploaded it.
Please give us feedback on our non-machine transcripts, so we can improve the clarity, layout and timing. Transcripts are tricky when you have things which are written very differently from how they're spoken, such as "Notepad.exe" 🙂
Is this considered an .exe file? Will this prompt UAC if I don’t run in admin mode?
How about going back to basics let pdfs be pdfs why do we needs links and special script embedded in PDFS? A PDF should be a high res text/photo document and nothing else.