With all the Internet attacks that exploit Adobe Acrobat Reader people
should switch to using an alternative PDF reader, a security expert
said at the RSA security conference on Tuesday.
Of the targeted attacks so far this year, more than 47 percent of them
exploit holes in Acrobat Reader while six vulnerabilities have been
discovered that target the program, Mikko Hypponen, chief research
officer of security firm F-Secure, said in a briefing with journalists.
Just last month,
Adobe issued a fix for an Acrobat Reader hole that attackers had been
exploiting for months, after issuing a patch for a critical
vulnerability in Flash player the month before.
In 2008, the favored targeted attack vector was Microsoft Word, which
had 15 known vulnerabilities (compared to Acrobat Reader's 19) and
which represented 34.5 percent of the attacks (compared to 28.6 percent
for Acrobat Reader), he said.
Top-level executives, defense contractors, and other people who have
access to specific sensitive corporate or government information are
subject to targeted attacks where an attacker sends a file that has
malicious code embedded in it. Once the file is opened, the computer is
infected typically with a back door that then steals data.
PDF and Flash browser plug-ins are also used in attacks known as
"drive-by downloads" in which malware is surreptitiously downloaded
onto a computer while the user is surfing the Web. The number of PDF
files used in attacks rose from 128 between January 1 and April 16 last
year to more than 2,300 in that same time period during this year, said
Adobe should make security a priority, he said.
Adobe "has a lot to learn from, of all places, Microsoft," which offers
regular security patches on a monthly basis as part of Patch Tuesday,
Part of the problem is people don't expect that Acrobat Reader upgrades
necessarily contain important security patches like they do with
Microsoft software, he said.
Hypponen did not recommend a PDF reader, but said Acrobat Reader alternatives are listed on the PDFReaders.org Web site.