Adobe Reader: Will new version block hackers or tempt them

For two quarters running, Adobe's popular Acrobat and Reader software have been the favorite target of hackers around the globe.

Here's a distinction no software company craves: For two quarters running, Adobe's popular Acrobat and Reader software have been the favorite target of hackers around the globe. According to Symantec's quarterly threat assessment, attacks related to PDF usage accounted for 36 per cent of malicious activity in the most recent quarter and 57 per cent in the preceding three months.

Indeed, yet another attack widespread attack struck just last week, targeting Flash Player, Reader, and Acrobat on Windows, Mac, Linux, and Solaris. The vulnerability, Adobe reports, can cause affected systems to crash and allows attackers to take control of them.

Fortunately, though, help is on the way. By the middle of November, Adobe expects to launch version 10 of Acrobat Reader, built upon a technology known as "sandboxing." Simply put, the program will run inside a kind of digital shell that keeps it from interacting with the rest of the computer -- unless it has explicit permission from a feature called the broker. I'll explain how this works in a bit.

There's a rather nasty twist to the latest attack. According to Adobe, it appears to target the latest version of Reader, version 9, while ignoring older versions. That's something of a slap in the face to conscientious users who follow the advice of Adobe and other software vendors to keep up with the latest version of their programs.

PDF Safety Tips

The good thing about Adobe's PDF format is that nearly everybody uses it -- and if you just need to read those documents, it's free. Sadly, the program's very popularity is what attracts the bad guys. Hackers, say the security experts, look for a "target-rich environment," and with tens of millions of users, Acrobat and Reader fit the bill.

I've never heard a compelling argument that Adobe's product's are inherently insecure, or simply poorly designed, but from a consumer's point of view, it really doesn't matter. Having a chunk of malware dropped on your computer is always bad news.

So what can you do to stay secure? I wish I had advice that went beyond the conventional wisdom, but I don't. I contacted security experts at Adobe and Symantec, and they both said pretty much the same thing. Marc Fossi, Manager, Research and Development, Symantec Security Response said this:

1. Consumers should make sure to keep their software up-to-date with all the most recent versions and security patches at all times. An easy way to do this is to ensure that applications are configured to retrieve updates automatically whenever there is a live Internet connection.

2. Using a full security software suite that includes antivirus and intrusion prevention capabilities can also protect against these types of threats.

Sure, Symantec is in the business of selling security software, so naturally they'll tell you to use their product. But in this case, put aside your skepticism and do what the man says. Newer security programs really do filter out lots of malware. And while it may seem utterly obvious, I'll repeat this old chestnut: Don't open attachments from people you don't know.

Remember I said that the latest PDF attack was aimed at newer versions of the software. If you're running version 9 of Reader, you'll be prompted to download a security patch within the next few weeks. Do it.

Adobe's New Sandbox Technology

Adobe Reader X (version 10) will run in "protected mode" which means that most operations will take place within the sandbox. Poisoned code within the PDF would still run, but because it is running within the sandbox, it can't get out to make trouble.

When Reader is running in protected mode, it relies on a "broker" which decides what functions it can carry out, such as launching an attachment. It's not likely to be a perfect defense, but Adobe has been testing the technology for some time, and is confident that it will provide a significant security enhancement.

In a recent interview with our colleagues at Computerworld, an Adobe researcher said that the Version X will probably attract a new wave of hackers eager to see if they can defeat the new technology. "Everyone will want bragging rights to be the first to come up with a working exploit of the sandbox," said Brad Arkin, Adobe's director of security and privacy.

But Arkin was confident that Reader X will withstand the inevitable assaults.

After last week's attack, I asked Arkin if it would be possible to patch older versions of Reader with the sandbox technology. Unfortunately, it isn't. "The development of a sandbox, in particular for a product as complex as Adobe Reader, is significant new functionality that impacts the entire code base and can only be introduced as part of a major new version. It is simply not possible to apply the sandbox developed for one version of a product as a patch for a previous version," he said in an email exchange.

There you have it. My experience is that consumers who follow the common-sense recommendations I've recounted rarely are hit with malware. But it does happen. In the case of Reader, you should move to Version X as soon as it's out.

San Francisco journalist Bill Snyder writes frequently about business and technology. He welcomes your comments and suggestions. Reach him at

Follow Bill Snyder on Twitter @BSnyderSF. Follow everything from on Twitter @CIOonline.

Join the CSO newsletter!

Error: Please check your email address.

Tags applicationsAdobe Systemssecuritysoftware

More about Adobe SystemsBillLinuxSymantec

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Bill Snyder

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts