One of the main reasons people don’t like using Acrobat Reader for viewing PDFs is that it has historically been a popular target for hackers (and the updates that might prevent attacks are often slow and intrusive). However, according to Adobe itself, since the release of version 10 last year the number of vulnerabilities identified and exploited has dropped dramatically. The bad news? Those hackers are now looking towards Flash.
Speaking at the Kaspersky Security Summit in Malaga last week, David Lenoe, head of Adobe’s product security incident response team, said the introduction of sandboxing technologies (which limit the access granted to any executing code) in Acrobat X, the number of vulnerabilities identified has dropped dramatically.
We haven’t seen anything that successfully penetrates the sandbox in the wild, and we have seen a significant reduction in targeted attacks. Of course there’s still older vulnerabilities still being exploited, but in terms of new zero-day vulnerabilities, since the introduction of sandboxing, we haven’t seen anything significant.
That’s good news, though unfortunately it doesn’t mean the criminal types have been idle:
As a consequence we’re seeing Flash zero days rather than Reader zero days. There’s been a shift to Flash player.
As ever, keeping your software up-to-date ensures you’re less likely to be a target. Bear in mind also that there are still plenty of good alternatives to Acrobat Reader; I’m a big fan of recently-updated Nitro Reader, and there are other alternatives listed in our Hive Five of PDF tools.
Angus Kidman travelled to Malaga as a guest of Kaspersky Lab.