Portable Document Format (PDF) files are one of the most popular text documents around, with thousands of PDF documents being passed around daily. Despite the format’s widespread use, the reality is that PDF files are a security nightmare that you would be much better off avoiding.
No matter what kind of file you attempt to open, there is always the concern that the application used to read it may have a vulnerability that can be exploited using malicious code hidden in the file. Adobe PDF has a number of pitfalls when it comes to security because it suffers from a number of bugs that can be exploited by hackers and cybercriminals.
In fact, PDF is so wrought with security problems that the best thing to do is not use the format at all. Firstly, PDF documents often contain third-party reader formats such as Adobe LiveCycle, Time limited PDFs, Javascript (multimedia via Flash), rich content (like embedded fonts), and Xobjects. In addition, PDF’s can contain attachments, which various PDF readers may or may not be able to open.
All of these things increase the attack surface for a PDF document. For the uninitiated, the best way to visualize it is as codes stacked upon codes. These give hackers multiple places to look for bugs, which they can then exploit to inject malware onto your system. Basically, PDF files are feature rich: which pretty much makes them a playground for cybercriminals who can easily hide malicious code in them.
Add to this the fact that the official Adobe Acrobat reader is well known to be extremely vulnerable to attacks - with a total of 643 vulnerabilities discovered so far - and you start to understand why it is better to give PDF the wide berth.
PDF Security Advice
The best way to avoid problems arising from malicious PDF payloads is to avoid using PDFs as much as you can. When looking for a book online for free, you are likely to quickly stumble upon a PDF. The best thing to do is ignore this version of the text and instead keep searching for a version in TXT, HTML, ODF, or RTF.
Another option is to use Google's 'cache' link to display the PDF in plaintext. To do this: perform a Google search for the page you are interested in and click the green down arrow on the right-hand side of the site's URL. Next click "Cached" to see the cached version of the PDF in plain text.
This will work most of the time, however, sometimes there will not be a "Cached” option in the green arrow drop down (you will only see the option "Similar”). In these cases, your best bet is to download the PDF version and convert it to plain text yourself. This can be achieved using pdftotext. To do so simply run pdftotext > Appendix.pdf and it will create an Appendix.txt with all the plain-text in it. This avoids opening the PDF directly: which could trigger arbitrary malicious code hidden in it.
Safely Extract Images
If instead of text, it is images that you need to extract from a PDF file - you can use pdfimages to extract them. pdfimages is a PDF image extractor tool that can save any images contained within a PDF file to PPM, PBM, JPEG or JPEG 2000 formats. It is part of the poppler utility library, which you will need to install if you want to use it.
If the PDF you are extracting from is a mix of text and images, using the tools above might make it unreadable (or at least a pain in the ass). If this is the case, you can use pdftoppm tool from the poppler utility library to convert the PDF pages into PNG images.
Mac Users
For anybody using a Mac, there is an excellent tool called PDFMate PDF Converter. It is a PDF tool with a lot of useful functions. It allows Mac users to convert PDF files to HTML, EPUB, SWF, Word, Text and JPG format. It also has the capability to convert scanned PDF documents with Optical Character Recognition (OCR). Best of all: it’s free! (Just in case you are wondering: yes, it is also available for Windows.)
Alternatives to Adobe Acrobat
As previously mentioned, Adobe Acrobat is extremely buggy. This is because the program is very large and is bloated with exploitable code. In fact, vulnerabilities discovered in Acrobat have been increasing year on year with 130 vulnerabilities discovered in 2017 alone.
If you are thinking: "Oh no! But I need to open a PDF!" Then don’t worry, because there are options available to you that will improve your security.
An obvious method for avoiding falling victim to an exploit for Adobe Acrobat is to use a different PDF reader. Nowadays, there are a lot of PDF readers available and some are better than others.
If you only need to view a PDF then your best option is SumatraPDF. It is one of the best minimal viewers for Windows, and it is Open Source. If you need to be able to also annotate PDFs Foxit is a good option for Windows, Mac and Linux. Xournal is another recommended option.
Android and iOS Acrobat Alternatives
If you are using an iPad or iPhone (iOS) or Android device, then you can get a version of Foxit instead of Acrobat. It is the most secure option for reading PDF files on a mobile device that I know of.
Admittedly it can be a bit tougher to convert and extract PDF files on a mobile device, so, for optimal security, it is probably best to stick to a PC or Laptop whenever handling PDFs (if possible).
Please be aware that even these less bloated PDF readers can be exploited by hackers. For example, a Foxit PDF security flaw has previously exposed a dangerous remote attack. Security issues in Foxit’s PDF Reader allow a hacker to execute arbitrary code by running unauthorized and malicious JavaScript on a user’s computer.
These kinds of exploits are unavoidable because of the feature-heavy nature of PDF files. Luckily, there are a few more things you can do to minimise your risks while using one of these PDF readers:
- Turn off all scripting in your PDF reader.
- In your firewall, block all outbound/inbound internet access to your PDF reader. This will stop malicious code from communicating with a Command and Control (CnC) server.
- Open the PDF in a virtual machine.
- Open the PDF on an old laptop or phone with nothing significant on it and without internet access.
How to Check if a PDF has a Virus or Malware
Do you want to check if a PDF file you have been sent contains malware? To do so scan the PDF file with a local anti-malware program such as ClamAV or Malwarebytes. (Only the premium version of Malwarebytes will do it automatically, but you can scan a PDF manually with the free version by right-clicking on the PDF file -> Scan with Malwarebytes).
Whatever you do, please don’t scan PDFs with a cloud-based antivirus/malware program (or use online document converter websites). Online services are bad for privacy because they can easily harvest any sensitive information contained in your document. Always perform scans and conversions locally.
Secured PDFs - Conclusion
When it comes to PDF files, you are best keeping them at arm's length. PDFs are extremely vulnerable to exploits and it would be nice if, eventually, people stopped using them altogether. Although it does help a bit, even using alternatives to Adobe Acrobat leaves you vulnerable to attacks by hackers. Weaponized PDFs even allow cybercriminals to take full control of host computers.
The best way to stop this from happening is to start complaining when you receive a PDF. If you get sent a PDF, let the person who sent you the file know that PDFs are insecure and that you would prefer a different format. By doing this, hopefully, people will begin to leave this terrible format behind.
In the meantime: scan and convert PDF files, or extract contents. Use alternatives to Adobe Acrobat and turn off scripting in your PDF reader to minimize your risks as much as possible. In addition, always be sure to check who an email came from or that you trust the website where the PDF is coming from.
If you have any recommendations about how to improve PDF privacy and security then feel free to leave a message below, we would love to hear about your experiences!
Title image credit: Jane Kelly/Shutterstock.com
Image credits: dennizn/Shutterstock.com, Aquir/Shutterstock.com