Timed to coincide with Adobe delivering the latest patches for its popular PDF viewer, a security firm said it reckons malicious Reader documents made up “80 percent of all exploits at the end of 2009.”

 

Industry observer Gregg Keizer reported that according to ScanSafe (News - Alert) of San Bruno, California, “vulnerabilities in Adobe’s Reader and Acrobat applications were the most frequently targeted of any software during 2009, with hackers’ PDF exploits growing throughout the year.”

 

The Inquirer’s Edward Berridge reported that Adobe “has released emergency updates to patch a pair of critical vulnerabilities in its popular PDF viewing and editing software.”

 

Adobe “ranked both bugs as critical,” Berridge said: “Last week we were told that the software outfit would issue rush patches for Adobe Reader and Adobe Acrobat.”

 

Over the course of 2009, Keizer says, the incidence of malicious PDF files increased -- accounting for 56 percent of all exploits tracked by ScanSafe in the first quarter of 2009, rising to above 60 percent in the second quarter, over 70 percent in the third and topping at 80 percent in the fourth quarter.

 

Saying the updating “tackles a brace of serious flaws,” The Register’s (News - Alert) John Leyden noted that “the cross-platform Reader and Acrobat update fixes a vulnerability in the domain sandbox of the PDF technology that opens the door to possible exploits, more specifically unauthorized cross-domain requests. In addition the update addresses a critical flaw that creates a mechanism for hackers to inject hostile code” onto vulnerable systems.

“PDF exploits are usually the first ones attempted by attackers,” Mary Landesman, a ScanSafe senior security researcher told Keizer, who said she was referring to the multi-exploit hammering that hackers typically give visitors to malicious Web sites. “Attackers are choosing PDFs for a reason. It’s not random. They’re establishing a preference for Reader exploits.”

 

Landesman confessed she wasn’t sure why it was increasing. “Perhaps they are more successful. Or maybe it’s because criminal attackers are human, too. We respond when we see a lot of people going after a particular product. We all want to go after that product, too. In the attacker arena, they might be thinking, ‘Gee, all these reports of Adobe Reader zero-days, maybe I should get in on them too.’”

 

In 2009, 107 Adobe vulnerabilities were logged into CVE, nearly double the 58 added in 2008 and almost triple the 35 reported in 2006, Landesman noted.