You know by now not to open unexpected email attachments, but what if someone that appears legit sends you a PDF? How harmful can it be? As it turns out, very. This week a harmless-looking invitation to a Nobel Prize ceremony was a nasty piece of business indeed. When saved to a hard drive and opened, it sets up a backdoor so that the bad guys can take over your PC at will, all while you think nothing is going on. What is troubling is that this isn’t new.

This PDF exploit has been around for several years, yet it seems that it doesn’t get much attention from the general public. The security community is all over it. Here is a collection of articles that appeared on SearchSecurity.com earlier this summer that tells corporate IT folks how to secure these type of files.

And here is a video screencast that shows you the exploit in its gory detail.

So why hasn’t word gotten out? Why hasn’t Adobe fixed this issue? Well, they try, but the structure of the PDF format itself makes it hard to secure. It even has the nasty habit of saving revisions, so some hackers can go in and review previous versions and redacted text.

Yes, you can password-protect your PDFs. You can also sign them, so that your recipients know that they haven’t been tampered or forged by anyone in transit. But few people use these features. And because a PDF isn’t exactly an executable file, most of us are lulled into thinking that it is harmless.

As a test, go take a look and see if the version of Acrobat Reader on your PC is anywhere close to 9.4, which is the current one. I have seen people running version 5 or 6, which are years old – obviously, the older the version, the more likely it can be exploited. Take some time now to update your software to the current version.

And the next time you receive a PDF, take a moment to consider the consequences. Or use one of any number of free alternatives on Windows, or better yet, a Mac – its PDF viewer, the built-in Preview app, can’t be exploited as easily.

Read the original blog entry...