How to avoid malware and phishing scams in PDF files
Over recent years a wide range of concerns about the security of "standard" PDFs have been raised. Literally billions of PDF files are created and distributed every year and almost all are safe to view and use. However, a significant number of PDF files contain direct and indirect security concerns, so in this article we look at the main ones circulating today and how to avoid being caught out. Useful links are provided at the foot of this page.
Click on our Infographic for a larger image summarizing this article
In the sections below we discuss 5 areas relating security associated with PDF files: Scripting, External links, Malware, Bloatware, and Adobe-style security settings:
External URL links: The majority of links to external websites included in PDFs are safe to use. Phishing scams relying on external link invocation are the most common form of security risk and may take several forms, not all of them obvious. The main security risks come from apparently valid links embedded in images - these may be fake CAPTCHA prompts (I am not a Robot... Continue) or convincing looking invitations to update your user records on a well-known web service (e.g. Microsoft, Apple etc) or to access a shared file on OneDrive, Google Drive or Dropbox. Whilst most of us are familar with these kinds of scams in emails, they can be difficult to spot when accessed on phones or tablets as the actual URL destinations are not easily visible (see more on mobile devices and phishing in the Lookout report linked at the end of this artcile) ... and whilst we may be wary of some emails we are not always as vigilant about the content of PDFs. Solutions: Ideally PDF readers should warn users if a rogue link is suspected and should display the details so the user can review the underlying URL. Increasingly this is a standard feature of current proprietary PDF readers, including Adobe reader and Foxit and now, Javelin3 for Windows (latest versions) - other PDF readers generally do not provide this protection - this includes most if not all web browser display of PDFs (including Chrome and Safari), Apple's Preview PDF viewer and the SKIM PDF reader for Apple Mac computers.
Bloatware: Although PDF readers like Adobe and Foxit have many advanced features, this very fact means that they are huge to download and require significant amounts of disk storage, plus the large volume of code issued provides a playground for hackers and criminals. Adobe reader DC on the PC requires almost 800Mbytes of disk space and Adobe Acrobat needs almost 2Gb; even the less functional Foxit reader comes as an almost 200Mb download and is over 500Mb when installed on a PC. Compare this to SumatraPDF at 20Mb and Javelin3 at 40Mb and the differences are stark - and smaller readers tend to be faster rendering pages. On other platforms the situation is similar: Adobe reader on Android is over 160Mb, Foxit is over 200Mb, Javelin3 is 24Mb and ReadEra is 10Mb. On macOS computers current versions of Adobe reader require almost 600Mb of disk storage, Apple's Preview is roughly 40Mb (and is pre-installed with the operating system) and Javelin3 for MacOS is just 3Mb (it uses the PDF Library provided by Apple as used in Preview and already installed on all macOS computers). On iOS/iPadOS the situation is similar, with Adobe reader coming in at a hefty 283Mb, Foxit at 156Mb however the Javelin reader is under 10Mb.
Adobe-style PDF security settings: A somewhat separate issue is the usefulness of Adobe-style security settings. There are two types of setting: (i) password to open, which is designed to prevent access to PDF files by individuals who do not have the password; and (ii) permissions settings (e.g. permission to copy content, to print, to extract pages etc.), as illustrated below. The "Password to open" setting is supported in many, but not all PDF readers. However, the settings in both cases are of little real value as they can be removed by third party software and many small-footprint readers simply ignore the settings and permit these operations - for real content security and permissioning a DRM-protected security framework with strong encryption is required (e.g. DRuMlin, FileOpen, Adobe Content Server etc.).
With the huge rise in the number of people working from home and ever increasing security concerns, there is a need for extra vigilance when it comes to all forms of electronic documents. For most users the extra functionality in the Adobe and Foxit PDF readers is rarely used and can pose a potential threat to security if not carefully managed. That having been said, there is no denying that these high-functionality offerings have obvious benefits that are not available in slimmer products (e.g. advanced signing), so it is a matter of balance which reader one selects as the default for opening third party PDFs. The Javelin3 for Windows reader is unique in that it combines a small footprint with high security and a wide range of functionality, including PDF document viewing with read-aloud, page manipulation, saving content as text and optional full DRM security.
- Adobe: security alerts for Adobe reader
- Adobe: Can PDFs have viruses?
- Foxit: security alerts for Foxit reader and Editor
- SumatraPDF reader for Windows downloads page
- Javelin secure PDF reader downloads page
- SKIM PDF reader for Mac downloads page
- PDF and DRM security Knowledgebase Wiki
- Global State of Mobile Phishing Report March 2023 (a PDF)
- Phishing stats article, Jan 2023
Javelin3 secure PDF reader with DRM support, Home page, Windows OS