PDF In-Depth

What you don't know about PDF can hurt you

About the Author
 
Duff Johnson picture

Duff Johnson

Since 2011, Duff has worked in the ECM industry specializing in PDF technology since 1995. An industry leader, Duff co-chairs the international committee that manages ISO 32000, the specification for the PDF file format. Responsible for marketing and product...  More


 

 
 

Editor's Note: Duff Johnson is the President of Netcentric US. This article originally appeared on Appligent.com, and has been reprinted with permission.

Perhaps the single most common myth about PDF files is the idea that they are "unchangeable". WRONG.

It's the single most common misunderstanding about the most common of file-formats.

In reality, PDF files are easy to change. They are also easy to annotate with comments, encrypt, digitally sign, make interactive, communicate with servers and much much more.

They can also be corrupted with something nasty.

Until recently, these dangers were few and far between. More recently, as IBM's X-Force Report for 2009 makes clear in gory detail, both PDF and Adobe Systems have "taken a beating from attackers over the past one and a half years."

Let's review the problem, then discuss some solutions.

Problem 1: Most people think PDF files are inherently secure

IBM's 2009 X-Force Report PDF isn't a closed proprietary format; it's an open published standard, which makes it possible for some modes of attack to leverage the file-format itself. Until very recently, PDF was targeted far less than the Microsoft Office file formats. The 2009 X-Force Report makes clear that malicious PDF is on the rise, with more vulnerability disclosures about PDF than the various Office formats in 2009.

The most typical attack involving malicious PDF includes "trick" PDF files hosted on servers and emailed as spam or in targeted attacks. These assaults leverage the trust most users place in PDF; users are characteristically less suspicious of .pdf as compared to .doc or .ppt files.

Problem 2: The software

In a more innocent time, certain forms of attack were once considered software features. This is particularly true of so-called "XSS", or cross-site scripting attacks, in which users are spoofed into opening a "trick" PDF file that calls out to a server for various nefarious reasons.

The Acrobat JavaScript API offers an enormous range of options for developers of interactive PDF files including forms, presentations, training materials and more. In fact, the API is so powerful that it's become an invitation to hackers. Flash content, which may also be embedded in PDFs, presents similar vulnerabilities.

Using PDF viewers other than Adobe's Reader is no panacea for security concerns. Few 3rd party viewers include Adobe's comprehensive JavaScript API support and embedded Flash capabilities, but then again, they also don't have anything like Adobe's resources for detecting and addressing the threats. Of course, a third-party viewer may have fewer vulnerabilities as a function of their relatively limited features.




PDF In-Depth Free Product Trials Ubiquitous PDF

Debenu Quick PDF Library

Get products to market faster with this amazing PDF developer SDK. Over 900 functions and an equally...

Download free demo

Two Passwords Are Better Than One: The Low-Down On PDF Security

For people who don't spend their time looking at PDF files in text editors*, PDF security is a sometimes misunderstood beast.

For example, those document restrictions that PDF files sometimes have -- no Printing, Content Copying, Page Extraction, etc -- are essentially useless unless the PDF also has a User Password.

January 09, 2014
Platinum Sponsor



Search Planet PDF
more searching options...
Planet PDF Newsletter
Most Popular Articles
Featured Product

Debenu PDF Aerialist 11

The ultimate plug-in for Adobe Acrobat. Advanced splitting, merging, stamping, bookmarking, and link control. Take Acrobat to the next level.

Features

Adding a PDF Stamp Comment

OK, so you want to stamp your document. Maybe you need to give reviewers some advice about the document's status or sensitivity. This tip from author Ted Padova demonstrates how to add stamps with the Stamp Tool along with related comments.