You may have noticed that when you download PDF (Portable Document Format)
files in Chrome, it will warn you that the file might harm your computer. On the surface, PDFs are seemingly harmless files containing
nothing more than text and images. But there's more to PDF files than most people realize. For example, PDF files can
contain scripts, embedded media and other such potentially malicious content.
It turns out that the PDF format is actually quite
complicated. It isn't just text and images as you might expect. It has a lot of
unnecessary features that have opened many security holes in the past.
JavaScript: PDFs support JavaScript code, which
is the same language that is used to display content in your web browser. This
allows them to be as dynamic as web pages. JavaScript code in PDF documents can
run automatically upon opening the document and have been known to exploit many
security holes in Adobe Reader. There are even many Adobe Reader-specific
JavaScript APIs, some of which are insecure and have been exploited.
Embedded Flash: Although Flash is a popular
technology, there are many insecurities present in Flash - the very reason that
Apple has famously refused to allow Flash on its mobile products. Until April
10, 2012, Adobe Reader had its own internal Flash player. Now Adobe Reader uses
the version of Flash that is installed on your system. As long as you have the
latest version of both Adobe Reader and Flash, you should mostly be free from
any security risks.
Launching External Applications: Adobe Reader used
to have a feature where it could run any external application in the system by
asking for a confirmation through a pop-up window. If you clicked OK, you could
have opened a potentially malicious program. Adobe Reader now no longer
supports this feature.
Embedded PDF files: Sometimes, a PDF file can contain an
embedded malicious PDF file. Although your antivirus would detect the PDF as
not malicious, the PDF would launch another embedded malicious PDF after
opening it. This fools antivirus scanners because they cannot detect the presence
of the hidden PDF file.
Embedded Media: Sometimes, PDFs can contain embedded
media players such as QuickTime player or Windows Media Player. Any security
holes in such media players can harm your computer.
PDFs are now much safer
Although the PDF format has a lot of features that most people will never use, it is now much safer than it used to be. This is because Adobe has
introduced a new sandboxing feature called 'Protected Mode' in Adobe Reader X.
This allows Adobe Reader to only access certain parts of the operating system.
That means that hackers will have to find two security holes: one in the PDF
viewer and another in the sandbox. Only then can they escape the sandbox and do
damage to the rest of the computer. This is very similar to Google Chrome's
sandboxing feature, where the browser isolates Chrome processes (tabs) from the
rest of the operating system.
You can also opt for one of the many third-party
PDF readers that don't have the above features. In fact, you don't even need a
PDF reader because Chrome and Firefox both have integrated PDF readers which
are pretty secure. In case you do opt for a PDF reader, just make sure that
it's updated to the latest version and you should be safe.
