Malicious PDFs

Zix · March 17, 2010

Zotero is a great for storing, syncing and sharing PDFs but do users of Zotero worry that some of these PDFs may be vectors for computer malware? I haven't seen any discussion of this issue of these forums.

Scansafe's most recent Global Threat Report, states that PDF exploits accounted for 80% of all exploits via the web in Q4 2009, up from 56% in Q1 2009. Going into 2010 PDFs appear to be the primary means by which computers are compromised via the Internet. Traditional anti-malware tools don't appear to very successful at preventing infection via malicious PDFs. The primary protection appears to be 1. keep Acrobat patched and 2. turn-off JavaScript in Acrobat.

sean · March 17, 2010

No. This would be like living next to the Mississippi and worrying about your bathroom faucet flooding your house.

ajlyon · March 17, 2010

In other words, Zotero isn't really related to this issue. You can take some solace in knowing that most of the PDFs you'll encounter in using Zotero are from fairly reliable, trustworthy article databases.

You can also use PDF readers other than Adobe's-- I personally recommend Skim for Macs and FoxIt for Windows. These other readers are unlikely to be affected by the same security issues, and they offer nice features like annotation, even in their free versions.

Zix · March 18, 2010

Interesting. My first reaction is that this is exactly why PDFs have become such an important vector for malware: users think there is little risk. Couple that with Acrobat/Reader being full of critical security bugs, ubiquitous use, and few users bothering to promptly install security patches (if ever) and Adobe Acrobat/Reader is a online criminal's best friend..

So I guess my question is where's the evidence that this is "like living next to the Mississippi and worrying about your bathroom faucet flooding your house"? There's lots of evidence to the contrary. The ScanSafe analysis I cited above was based on an analysis of trillion Web requests processed in 2009 (ScanSafe is a division of Cisco). Here's a link to the ScanSafe report (in PDF!) and items from a few other assorted sources discussing the high risk associated with PDFs:
http://www.scansafe.com/downloads/gtr/2009_AGTR.pdf
http://www.sans.org/top-cyber-security-risks/
http://www.blade-defender.org/eval-lab/
http://securityblog.verizonbusiness.com/2010/02/25/troubled-times-with-adobe-acrobat/
http://www.infoworld.com/d/security-central/attacks-spur-regular-security-updates-adobe-642
http://www.infoworld.com/d/security-central/adobe-social-networking-will-be-top-targets-hackers-in-2010-715

"...most of the PDFs you'll encounter in using Zotero are from fairly reliable, trustworthy article databases". How do you know that a online database is trustworthy? Lots of online databases are susceptible to SQL injection attacks. Would you download a PDF from the websites of the Wall Street Journal, New York Times, PBS? All these sites and many more widely trusted sites were hacked in 2009. And do people really restrict themselves to downloading from "trustworthy databases" anyway?

Using an alternative to Adobe Acrobat/Reader probably does help but don't think that alternatives aren't also associated with vulnerabilities. Alternatives are also subject to the similar vulnerabilities. Foxit, the main alternative, also runs Javascript and has its own problems with serious vulnerabilities e.g. see http://www.foxitsoftware.com/pdf/reader/security.htm

ajlyon · March 18, 2010

Regardless, this is not related to Zotero. At all. Yes, people's computers can be infected. No, Zotero does not take special precautions against this. The most that might be worth asking for is virus scanning on files in Zotero File Storage. Everything else is in the realm of operating system security software and reliable PDF readers.

Sean presumably means that the threat posed by PDFs and other attack vectors via Zotero is not the main concern. The threat posed by PDFs and other attack vectors in general, via normal web browsing, is what you and other users should keep in mind. Zotero will not protect you, and it will not aggravate the problem.

Do you have concrete concerns with anything that falls into the realm of Zotero's functionality?

Zix · March 18, 2010

I didn't suggest that Zotero take "special precautions against this". I'm not sure what the Zotero people could do that would be effective, aside from including some basic end-user security education on their site. It's not really their problem.

What I asked was whether "users of Zotero"--a program, which among other uses, is used to obtain, store, manage and share PDF files--are concerned that PDFs have become a major vector for malware. Apparently, some are not.

Yes, the risk of PDFs isn't specific to Zotero use, but given that the management of PDFs in Zotero is a significant feature for many users, and given that Zotero is a web application that allows for the easier distribution of information, including PDF files, and therefore is potentially a means by which malicious PDFs might spread more widely across users and machines than would have otherwise been the case, I think the issue I raise is pertinent to users on this forum.

Bionatsci · March 18, 2010

Well, to answer your question:

I suppose I am slightly concerned - but there is not much I can do about it given that PDFs are the de facto standard in my field. I of course take the standard precautions:

I don't use acrobat - I use Bluebeam for editing and PDF X-Change viewer for viewing.
I have up to date on access virus protection
I take a complete system image to an external drive at least once a week, and backup critical files manually as I work on them.
In case something really goes badly wrong I have the system recovery discs near at hand.

Beyond that I don't worry about it, knowing that I can recover from a major infection with minimal hassle (speaking relatively) - worst comes to the worst, boot from my Acronis bootable CD and restore my most recent system image.

Oh, and boot from an Ubuntu LiveCD beforehand to grab any important documents I changed after my last backup.

mark_connolly · March 19, 2010

Zix, it sounds as though you are going to bring up a product solution. Out beating the bushes?

alexuw · March 19, 2010

to state the obvious, for academics, sources like JSTOR can generally be trusted. If you're downloading random pdfs from warez sites, that's another story. If you're concerned about this as a general problem it's a virus-scanning issue.

There is one real (if tangential) issue here, that viruses could spread via zotero's group functionality. But that's true of any sort of file sharing or distribution. The (imperfect) solution is to (1) know your sources and (2) scan for viruses.


 ________________
( and run linux! )
 ----------------
   o
    o
        .--.
       |o_o |
       |:_/ |
      //   \ \
     (|     | )
    /'\_   _/`\
    \___)=(___/

Zix · March 22, 2010

Mark: I don't think there are any product solutions. Anti-virus and the usual tools for scanning for malware are very bad at identifying malicious PDFs. The most effective solution is simple and free: keep up-to-date with patches and turn-off Javascript in your PDF reader (or use one that doesn't support Javascript).

Alex: Same point as above. Using Anti-virus is a good idea but it' isn't much of a defense. I think there is less, maybe considerably less risk with some sources than others, but even on legitimate sites you need to be careful as legitimate sites are often targeted precisely because they are trusted by users. Most current malware works by exploiting misplaced trust and social engineering.