Pain and Malicious PDFs

The ubiquitous PDF, it just seems to be everywhere. With all of the recent hype surrounding a variety of exploits that have come to light in the last couple of weeks, many of our customers are asking about how to defend against malicious PDF documents. This is both a simple and a complex question.

The simple answer, and of course the least realistic, is to disallow PDFs altogether. However, as you might already suspect, this is nearly impossible in any modern enterprise. A couple of recent polls in customer enterprises showed that even when staff members said they didn’t use PDFs for anything in their day-to-day work, nearly all of them realized suddenly that PDFs were an important part of some process once PDF documents started to get blocked at the perimeter. Not one single organization that is a client has reported success at blocking PDF documents as a blanket solution.

So, if we can’t block something that may be dangerous, then we are back to that age old game of defense in depth. We’re going to need more than one single control to protect our organization against this attack vector. Sure, almost everyone has antivirus on their workstations and other systems, however, in this case, most antivirus applications show little progress in detecting many malicious PDF attack vectors. But, the good news is, that antivirus is as effective as usual at detecting the second stage of a malicious PDF attack, which usually involves the installation of malware. Some organizations have also started to deploy PDF specific heuristic-based solutions in their email scanners, web content scanners, firewalls and IDS/IPS systems. While these technical controls each have varying levels of strengths and weaknesses, when meshed together they do a pretty good job of giving you some detective and maybe preventative capability for specific known attack vectors using PDFs.

Obviously, you want to back up these technical controls with some additional human training, education and awareness. You want users to understand that a PDF can be as dangerous, if not more so, than many other common attachments. Many of the users we have talked to in the last few weeks have been surprised by the fact that PDFs could execute remote code or be harmful. It seems that many users trust PDF documents a lot more than they should. Given how many of the new PDF exploits work, it is a good idea to make your users aware they they should pay careful attention to any pop-up messages in the PDF reader and that if they are unsure about a message they should seek assistance before accepting or hitting OK/Continue.

Lastly, PDF attacks like the current ones in circulation, continue to show the importance of many of the projects in our 80/20 Rule of Information Security. By leveraging projects such as anomaly detection and enclave computing, organizations can not only reduce the damage that a successful client side attack can do, but they can give themselves a leg up on identifying them, blocking their sources and quarantining their victims. If you would like to discuss some of these approaches, please drop me a line or give us a call.

What approaches to PDF security has your organization found to be effective? If you have a winning strategy or tactic, leave us a comment below. As always, thanks for reading and be careful out there.

This entry was posted in General InfoSec by Brent Huston. Bookmark the permalink.

About Brent Huston

I am the CEO of MicroSolved, Inc. and a security evangelist. I have spent the last 20+ years working to make the Internet safer for everyone on a global scale. I believe the Internet has the capability to contribute to the next great leap for mankind, and I want to help make that happen!

Leave a Reply