Best Practice to Prevent PDF Attacks - SANS Internet Storm Center

Best Practice to Prevent PDF Attacks
I subscribe to Search Security at Tech Target and receive newsletters from them on a regular basis. It just so happens the one that I received today had an article about how Enterprise can prevent an attack due to PDF hacks. I just read through the article and found it a very good refresher on best practices for protecting against any malware spread by using any number of compromised attachments. It is human nature I guess, that we open attachments from folks we know and unfortunately even some we don't know. Often times these attachments contain more than we bargained for. Because Adobe is on every computer in the world (ok - maybe an exaggeration) it is a really big target. And because it is a really big target there are a number of vulnerabilities associated with one component or another. The article from Tech Target states: "According to McAfee Inc. Avert Labs, as of Q1 2010, malicious malformed PDF files are now involved with 28% of all malware directly connected to exploits." Considering the number of different possible attack vectors this 28% is huge. The article goes through some very common sense tips for protecting your organization. This article though focusing on misused PDF's can be used to protect against other potential attack vectors. Some may say this is old news and common sense and I won't disagree. But sometimes the old makes things new again. http://searchsecurity.techtarget.com/tip/0,289483,sid14_gci1513908,00.html?track=NL-422&ad=769731&asrc=EM_NLT_11739094&uid=6115703 Deb Hale Long Lines, LLC	Deborah 278 Posts ISC Handler
Reply Subscribe	Jun 9th 2010 8 years ago
One practice they didn't mention: Dump Adobe. For PDF reading, generation and editing there are some very good alternatives that are cheaper, less bloated and much more secure. You'll miss out on some multimedia functionality from Adobe 9 that nobody is using but you'll be safer for it! (see Nuance PDF Reader or Acrophobia for just two examples)	Anonymous
Reply Quote	Jun 9th 2010 8 years ago
The US-CERT Technical Cyber Security Alert TA10-159A has additional mitigations. Such as: Disable the display of PDF documents in the web browser, Prevent I.E. from automatically opening PDF documents, Disable Javascript in PDF. See: <a href="http://www.us-cert.gov/cas/techalerts/TA10-159A.html">US-CERT Technical Cyber Security Alert TA10-159A </a> Another good article for securing Adobe Reader suggests blocking multimedia in documents, blocking the launching of non-PDF attachments from inside a PDF, controlling plug-ins, restricting web sites in Trust Manager, removing Javascript execution privileges from menu items. See this article: <a href="http://www.techradar.com/news/internet/6-ways-to-protect-your-pc-from-rogue-pdf-files-592099">6 ways to protect your PC from rogue PDF files</a>	Anonymous
Reply Quote	Jun 9th 2010 8 years ago
Excellent article. Both disabling Javascript in Adobe Reader and discouraging users from opening questionable attachments can go a long way to protect users. I am glad that Adobe is responding to security risks appropriately. Paul Ciatto Consultant, Insource Technology "The postings on this site are my own and don't necessarily represent Insource 's positions, strategies or opinions."	Anonymous
Reply Quote	Jun 11th 2010 8 years ago
Thanks for your kind comments on my article Deb. Something I have learned from my many years in information security is that the need for refreshers is pretty much constant. Here's a good example: Back in 1998 I helped design and deliver online security training courses taken by over 10,000 employees. But yesterday I read that lax security at this very same company had led to the exposure of over 100,000 high profile customer email addresses. Clearly, security know-how within any organization needs constant reinforcement. New employees are constantly entering the workforce and need information security awareness training appropriate to their roles and what role in a company today does not require an employee to handle at least some information securely. Unfortunately, during tough times likes those from which we are now--hopefully--emerging, training and awareness programs tend to be neglected or under-funded. That means the problem of under-trained and under-aware staff will likely get even worse in the coming year as businesses emerging from the recession take on more new staff.	Anonymous
Reply Quote	Jun 15th 2010 8 years ago

I subscribe to Search Security at Tech Target and receive newsletters from them on a regular basis.  It just so happens the one that I received
today had an article about how Enterprise can prevent an attack due to PDF hacks. I just read through the article and found it a very good refresher
on best practices for protecting against any malware spread by using any number of compromised attachments.

It is human nature I guess, that we open attachments from folks we know and unfortunately even some we don't know.  Often times these attachments
contain more than we bargained for. Because Adobe is on every computer in the world (ok - maybe an exaggeration) it is a really big target. And
because it is a really big target there are a number of vulnerabilities associated with one component or another. The article from Tech Target states:

"According to McAfee Inc. Avert Labs, as of Q1 2010, malicious malformed
PDF files are now involved with 28% of all malware directly connected to exploits."

Considering the number of different possible attack vectors this 28% is huge. The article goes through some very common sense tips for protecting
your organization. This article though focusing on misused PDF's can be used to protect against other potential attack vectors.

Some may say this is old news and common sense and I won't disagree. But sometimes the old makes things new again.

http://searchsecurity.techtarget.com/tip/0,289483,sid14_gci1513908,00.html?track=NL-422&ad=769731&asrc=EM_NLT_11739094&uid=6115703

Deb Hale Long Lines, LLC

Deborah

278 Posts
ISC Handler

One practice they didn't mention: Dump Adobe. For PDF reading, generation and editing there are some very good alternatives that are cheaper, less bloated and much more secure.
You'll miss out on some multimedia functionality from Adobe 9 that nobody is using but you'll be safer for it! (see Nuance PDF Reader or Acrophobia for just two examples)

Anonymous

The US-CERT Technical Cyber Security Alert TA10-159A has additional mitigations. Such as: Disable the display of PDF documents in the web browser, Prevent I.E. from automatically opening PDF documents, Disable Javascript in PDF.

See: <a href="http://www.us-cert.gov/cas/techalerts/TA10-159A.html">US-CERT Technical Cyber Security Alert TA10-159A </a>

Another good article for securing Adobe Reader suggests blocking multimedia in documents, blocking the launching of non-PDF attachments from inside a PDF, controlling plug-ins, restricting web sites in Trust Manager, removing Javascript execution privileges from menu items. See this article:
<a href="http://www.techradar.com/news/internet/6-ways-to-protect-your-pc-from-rogue-pdf-files-592099">6 ways to protect your PC from rogue PDF files</a>

Anonymous

Excellent article. Both disabling Javascript in Adobe Reader and discouraging users from opening questionable attachments can go a long way to protect users. I am glad that Adobe is responding to security risks appropriately.

Paul Ciatto Consultant, Insource Technology

"The postings on this site are my own and don't necessarily represent Insource 's positions, strategies or opinions."

Anonymous

Thanks for your kind comments on my article Deb. Something I have learned from my many years in information security is that the need for refreshers is pretty much constant.

Here's a good example: Back in 1998 I helped design and deliver online security training courses taken by over 10,000 employees. But yesterday I read that lax security at this very same company had led to the exposure of over 100,000 high profile customer email addresses. Clearly, security know-how within any organization needs constant reinforcement.

New employees are constantly entering the workforce and need information security awareness training appropriate to their roles and what role in a company today does not require an employee to handle at least some information securely.

Unfortunately, during tough times likes those from which we are now--hopefully--emerging, training and awareness programs tend to be neglected or under-funded. That means the problem of under-trained and under-aware staff will likely get even worse in the coming year as businesses emerging from the recession take on more new staff.

Anonymous