The vast majority of PDF viewers are vulnerable to a variety of attacks, according to researchers at Ruhr University Bochum in Germany in a 2021 study. These techniques exploited standard features of PDF that are generally familiar to most hackers. In the most serious cases, researchers were able to execute code remotely, read data and manipulate it. Fortunately, a number of solutions are available for these vulnerabilities.
PDF viewers that are built into applications like web browsers were much less vulnerable to attack than standalone viewers, since browsers already have their own security. Integrated viewers were only vulnerable to relatively minor attacks like denial of service (DoS) attacks. The PDF viewers integrated into the Edge and Safari browsers were the most secure, and were the only ones to resist all exploits out of the 28 viewers that the researchers tested.
Windows viewers were generally more vulnerable than those for the Linux and MacOS operating systems. However, iSkysoft and PDFelement were only vulnerable to DoS attacks. The weakest PDF viewers tested were PDF-Xchange Viewer and PDF-Xchange Viewer for Windows, which were vulnerable to eight of the 10 attacks that the researchers tested.
Remote code execution is the most damaging type of vulnerability for a PDF viewer since it allows hackers to run any program they want. Many of the tested viewers implemented code execution by design in a straightforward manner by simply following the PDF reference. This dangerous feature allows users to launch an application without appropriate precautions such as requiring the user to confirm the action. As a result, a file embedded within the PDF document could execute a malicious file, whether it was located on the local machine, a shared network or the internet. Six of the 18 Windows viewers tested were vulnerable to this exploit.
The disclosure of information from a PDF file could allow attackers to monitor a PDF file’s use by creating a connection to the attacker’s when a user opens the file. This action could provide the attacker with document data, local files and New Technology LAN Manager (MTLM) credentials. This type of attack was fully successful against three PDF viewers and partially successful against three others. The techniques that researchers used exploited various specifications of the PDF standard such as accessing files on the host system and embedding external files. They considered the attack a success if they were able to read files on the user’s local machine and send those files to the attacker.
Data manipulation attacks against a PDF viewer generally involve modifying form data and displaying content based on the specific viewer. They also exploited ambiguities in the PDF standard regarding the submission of form data to external webservers, allowing attackers to write to local files. Specific exploits included using the manner in which documents reference themselves to create an infinite loop, which is a type of DoS attack. This exploit is similar to the older zip bomb attack that compresses stream objects instead of zip files.
The publishers of the PDF viewers should have already addressed the most serious of these vulnerabilities. Many of the minor problems such as form modification are really features that probably don’t require a remedy. The most effective solution for the remaining problems is usually to use viewers that are integrated into browsers, rather than native, third-party viewers.
The complex data format of PDF results in many possible exploits, indicating a need for more user training. For example, most Office users already know that their files can contain macros that perform malicious actions, but relatively few PDF users are aware that their files have a similar capability.