Tweet

The new zero-day vulnerability in Adobe Reader may have some people wondering if there’s a way to use Portable Document Format (PDF) files more safely. The answer is yes: you can reduce your risk in using PDF files. Here’s how.

First of all – and this can’t be stressed enough – keep your PDF reader up to date. Many popular PDF readers incorporate some sort of autoupdate function to make this easier for you. Be careful about downloading “updates” from unknown download sites, as frequently these turn out to be malicious. Use the built-in autoupdate feature or download directly from the developer’s website instead.

In addition, we won’t mention the usual bits of advice like don’t open suspicious files or websites, etcetera. Let’s assume that if an attack does occur, it will be by a reasonably non-obvious method, like Blackhole spam runs.

You can be exposed to malicious PDF files in many ways, but broadly speaking they can be categorized as either in the browser or out of it. In the browser attacks are just that – PDF files opened within browsers using either external add-ons or the browser’s own capabilities. Exploit kits are an example of how users can be exposed to PDF files in their browser.

By contrast, here is an example of out of the browser attacks: files which are saved onto the computer from a mail client or the browser and then opened in the PDF reader itself.

What you can do in the first case is reduce your usage of plug-ins to open PDF files. Both Google Chrome and Mozilla Firefox can use integrated PDF readers that make relying on external apps unnecessary. (For Chrome, it comes built-in; for Firefox it has to be downloaded as a separate add-on. To use these, it may be necessary to disable any plugins installed by PDF readers. The way to do this differs from browser to browser.

What about the second category of attacks – from PDF files opened in the readers themselves? One common recommendation is to avoid Adobe Reader, but that’s not a cure-all. Third-party readers are not immune to vulnerabilities either. Going to a different PDF reader can be thought of as a form of security through obscurity, which doesn’t offer much in the way of protection.

PDF readers also usually feature some sort of setting that increases the protections against malicious files, usually at the expense of some features. For example, Adobe’s Protected View setting in Reader opens PDFs in their own sandbox, making exploits more difficult at the expense of turning off features like printing, full screen viewing, and file saving. Other readers will have similar features with a similar trade-off: reduced features for improved security. These features are not always on by default, so it’s a good idea to check their current status and activate them as needed. However, these are not foolproof and may still be circumvented by a well-crafted exploit.

Much as was the case with Java, the key part to improving PDF safety is to remove it from the browser. Fortunately, this can be done (with some browsers) without removing any functionality. While no advice is 100% foolproof, these tips will help reduce the risks as much as possible.