Drumlin Security Newsletters

In the sections below we discuss 5 areas relating security associated with PDF files: Scripting, External links, Malware, Bloatware, and Adobe-style security settings:

Scripting: PDF readers that support scripting using Javascript or similar facilities (e.g. Adobe reader and Foxit) run the risk that malware is embedded within the PDF file, with a range of minor to serious consequences. Solutions: The solutions are: (i) use a PDF reader that does not support or permit embedded scripting; (ii) ensure your PDF reader has the latest updates - for example, Foxit 11 suffers from multiple vulnerabilities in this area and should be updated to Foxit 12 to avoid significant risk of malware infection; (iii) disable Javascript operation in your PDF reader if it supports this option (e.g. using the Preferences setttings, Javascript and then unticking the default Action which is to allow Javascript to be run); or (iv) detect (scan) and disable or reject any PDF that is found to contain Javascript content, whether it is OK or not! Some PDF readers do not allow or ignore the use of such embedded scripting - amongst these are Javelin3 for Windows, SumatraPDF and a number of other PDF readers that are designed to be fast, small and focus on core viewing functionality rather than add-ons and plugins - many mobile app PDF readers fall into this category. OpenSource PDF readers, such as Sumatra and XPDF have many fans, but being OpenSource are at risk of modification and abuse, so lack of scripting support alone in the offical releases does not ensure security in this area.

External URL links: The majority of links to external websites included in PDFs are safe to use. Phishing scams relying on external link invocation are the most common form of security risk and may take several forms, not all of them obvious. The main security risks come from apparently valid links embedded in images - these may be fake CAPTCHA prompts (I am not a Robot... Continue) or convincing looking invitations to update your user records on a well-known web service (e.g. Microsoft, Apple etc) or to access a shared file on OneDrive, Google Drive or Dropbox. Whilst most of us are familar with these kinds of scams in emails, they can be difficult to spot when accessed on phones or tablets as the actual URL destinations are not easily visible (see more on mobile devices and phishing in the Lookout report linked at the end of this artcile) ... and whilst we may be wary of some emails we are not always as vigilant about the content of PDFs. Solutions: Ideally PDF readers should warn users if a rogue link is suspected and should display the details so the user can review the underlying URL. Increasingly this is a standard feature of current proprietary PDF readers, including Adobe reader and Foxit and now, Javelin3 for Windows (latest versions) - other PDF readers generally do not provide this protection - this includes most if not all web browser display of PDFs (including Chrome and Safari), Apple's Preview PDF viewer and the SKIM PDF reader for Apple Mac computers.

Malware and Trojans: Malicious code embedded in PDF files cannot be detected before the file is opened and Javascript is not the only embedded facility that can cause serious problems - embedded videos and forms can also result in external calls to rogue sites and/or worse, risk malware access to the local device and network. Solutions: (i) As was noted earlier, using a secure, up-to-date PDF reader is vital. If this is from Adobe reader or Foxit, the most widely used providers, it is essential that the reader is kept 100% up-to-date. This also applies to the editor-enabled versions of these readers. Secure PDF readers like Javelin3 for Windows should not suffer from this kind of issue because PDF readers of this type do not process embedded code on opening and also are less susceptible to other forms of sustained attack owing to their lower profile in the market; (ii) Modern security software can often scan downloaded files and attachments before they are opened, so in many (not all cases) malware can be detected and removed or quarantined before there is any risk from opening the file, so up-to-date security software is vital and almost universal in these days.

Bloatware: Although PDF readers like Adobe and Foxit have many advanced features, this very fact means that they are huge to download and require significant amounts of disk storage, plus the large volume of code issued provides a playground for hackers and criminals. Adobe reader DC on the PC requires almost 800Mbytes of disk space and Adobe Acrobat needs almost 2Gb; even the less functional Foxit reader comes as an almost 200Mb download and is over 500Mb when installed on a PC. Compare this to SumatraPDF at 20Mb and Javelin3 at 40Mb and the differences are stark - and smaller readers tend to be faster rendering pages. On other platforms the situation is similar: Adobe reader on Android is over 160Mb, Foxit is over 200Mb, Javelin3 is 24Mb and ReadEra is 10Mb. On macOS computers current versions of Adobe reader require almost 600Mb of disk storage, Apple's Preview is roughly 40Mb (and is pre-installed with the operating system) and Javelin3 for MacOS is just 3Mb (it uses the PDF Library provided by Apple as used in Preview and already installed on all macOS computers). On iOS/iPadOS the situation is similar, with Adobe reader coming in at a hefty 283Mb, Foxit at 156Mb however the Javelin reader is under 10Mb.

Adobe-style PDF security settings: A somewhat separate issue is the usefulness of Adobe-style security settings. There are two types of setting: (i) password to open, which is designed to prevent access to PDF files by individuals who do not have the password; and (ii) permissions settings (e.g. permission to copy content, to print, to extract pages etc.), as illustrated below. The "Password to open" setting is supported in many, but not all PDF readers. However, the settings in both cases are of little real value as they can be removed by third party software and many small-footprint readers simply ignore the settings and permit these operations - for real content security and permissioning a DRM-protected security framework with strong encryption is required (e.g. DRuMlin, FileOpen, Adobe Content Server etc.).

Conclusion

With the huge rise in the number of people working from home and ever increasing security concerns, there is a need for extra vigilance when it comes to all forms of electronic documents. For most users the extra functionality in the Adobe and Foxit PDF readers is rarely used and can pose a potential threat to security if not carefully managed. That having been said, there is no denying that these high-functionality offerings have obvious benefits that are not available in slimmer products (e.g. advanced signing), so it is a matter of balance which reader one selects as the default for opening third party PDFs. The Javelin3 for Windows reader is unique in that it combines a small footprint with high security and a wide range of functionality, including PDF document viewing with read-aloud, page manipulation, saving content as text and optional full DRM security.

Useful links

• Adobe: security alerts for Adobe reader
• Adobe: Can PDFs have viruses?
• Foxit: security alerts for Foxit reader and Editor
• SumatraPDF reader for Windows downloads page
• Javelin secure PDF reader downloads page
• SKIM PDF reader for Mac downloads page
• PDF and DRM security Knowledgebase Wiki
• Global State of Mobile Phishing Report March 2023 (a PDF)
• Phishing stats article, Jan 2023

Javelin3 secure PDF reader with DRM support, Home page, Windows OS