Malicious PDFs
Zotero is a great for storing, syncing and sharing PDFs but do users of Zotero worry that some of these PDFs may be vectors for computer malware? I haven't seen any discussion of this issue of these forums.
Scansafe's most recent Global Threat Report, states that PDF exploits accounted for 80% of all exploits via the web in Q4 2009, up from 56% in Q1 2009. Going into 2010 PDFs appear to be the primary means by which computers are compromised via the Internet. Traditional anti-malware tools don't appear to very successful at preventing infection via malicious PDFs. The primary protection appears to be 1. keep Acrobat patched and 2. turn-off JavaScript in Acrobat.
Scansafe's most recent Global Threat Report, states that PDF exploits accounted for 80% of all exploits via the web in Q4 2009, up from 56% in Q1 2009. Going into 2010 PDFs appear to be the primary means by which computers are compromised via the Internet. Traditional anti-malware tools don't appear to very successful at preventing infection via malicious PDFs. The primary protection appears to be 1. keep Acrobat patched and 2. turn-off JavaScript in Acrobat.
You can also use PDF readers other than Adobe's-- I personally recommend Skim for Macs and FoxIt for Windows. These other readers are unlikely to be affected by the same security issues, and they offer nice features like annotation, even in their free versions.
So I guess my question is where's the evidence that this is "like living next to the Mississippi and worrying about your bathroom faucet flooding your house"? There's lots of evidence to the contrary. The ScanSafe analysis I cited above was based on an analysis of trillion Web requests processed in 2009 (ScanSafe is a division of Cisco). Here's a link to the ScanSafe report (in PDF!) and items from a few other assorted sources discussing the high risk associated with PDFs:
http://www.scansafe.com/downloads/gtr/2009_AGTR.pdf
http://www.sans.org/top-cyber-security-risks/
http://www.blade-defender.org/eval-lab/
http://securityblog.verizonbusiness.com/2010/02/25/troubled-times-with-adobe-acrobat/
http://www.infoworld.com/d/security-central/attacks-spur-regular-security-updates-adobe-642
http://www.infoworld.com/d/security-central/adobe-social-networking-will-be-top-targets-hackers-in-2010-715
"...most of the PDFs you'll encounter in using Zotero are from fairly reliable, trustworthy article databases". How do you know that a online database is trustworthy? Lots of online databases are susceptible to SQL injection attacks. Would you download a PDF from the websites of the Wall Street Journal, New York Times, PBS? All these sites and many more widely trusted sites were hacked in 2009. And do people really restrict themselves to downloading from "trustworthy databases" anyway?
Using an alternative to Adobe Acrobat/Reader probably does help but don't think that alternatives aren't also associated with vulnerabilities. Alternatives are also subject to the similar vulnerabilities. Foxit, the main alternative, also runs Javascript and has its own problems with serious vulnerabilities e.g. see http://www.foxitsoftware.com/pdf/reader/security.htm
Sean presumably means that the threat posed by PDFs and other attack vectors via Zotero is not the main concern. The threat posed by PDFs and other attack vectors in general, via normal web browsing, is what you and other users should keep in mind. Zotero will not protect you, and it will not aggravate the problem.
Do you have concrete concerns with anything that falls into the realm of Zotero's functionality?
What I asked was whether "users of Zotero"--a program, which among other uses, is used to obtain, store, manage and share PDF files--are concerned that PDFs have become a major vector for malware. Apparently, some are not.
Yes, the risk of PDFs isn't specific to Zotero use, but given that the management of PDFs in Zotero is a significant feature for many users, and given that Zotero is a web application that allows for the easier distribution of information, including PDF files, and therefore is potentially a means by which malicious PDFs might spread more widely across users and machines than would have otherwise been the case, I think the issue I raise is pertinent to users on this forum.
I suppose I am slightly concerned - but there is not much I can do about it given that PDFs are the de facto standard in my field. I of course take the standard precautions:
Beyond that I don't worry about it, knowing that I can recover from a major infection with minimal hassle (speaking relatively) - worst comes to the worst, boot from my Acronis bootable CD and restore my most recent system image.
Oh, and boot from an Ubuntu LiveCD beforehand to grab any important documents I changed after my last backup.
There is one real (if tangential) issue here, that viruses could spread via zotero's group functionality. But that's true of any sort of file sharing or distribution. The (imperfect) solution is to (1) know your sources and (2) scan for viruses.
Alex: Same point as above. Using Anti-virus is a good idea but it' isn't much of a defense. I think there is less, maybe considerably less risk with some sources than others, but even on legitimate sites you need to be careful as legitimate sites are often targeted precisely because they are trusted by users. Most current malware works by exploiting misplaced trust and social engineering.