Report: Malicious PDF files comprised 80 percent of all exploits for 2009

Report: Malicious PDF files comprised 80 percent of all exploits for 2009

Summary: A newly released report shows that based on more than a trillion Web requests processed in 2009, throughout the past year, Adobe Reader/Adobe Acrobat exploits not only outpaced the use of Flash exploits, but also, grew to 80% of all exploits the company encountered in 2009.


A newly released report shows that based on more than a trillion Web requests processed in 2009, the use of malicious PDF files exploiting flaws in Adobe Reader/Adobe Acrobat not only outpaced the use of Flash exploits, but also, grew to 80% of all exploits the company encountered throughout the year.

Are the flaws in Adobe's product line becoming the cybercriminal's favorite exploitation tactic? Depends, since from another perspective malicious attackers don't have preferences, they exploit whatever is exploitable.

  • As seen in figures 8 and 9, malicious PDF files comprised 56% of exploits in 1Q09, growing to 80% of all exploits by 4Q09. Conversely, Flash exploits dropped from 40% in 1Q09 to 18% in 4Q09. This trend is likely indicative of attackers’ preference for PDF exploit, probably due to a combination of increasing availability  of vulnerabilities in Adobe Reader and Adobe Acrobat and the continued widespread use and acceptance of PDF files in both the workplace and consumer sectors.

Although the report is establishing a logical connection between the increasing availability of Adobe exploits based on the number of vulnerabilities reported in Adobe's products, it doesn't emphasize on an important fact.

From a cybercriminal's perspective, traffic optimization has evolved from exploit-specific wide-scale attacks, to today's cybercrime business model driven by web malware exploitation kits automatically enumerating potentially exploitable applications and browser plugins, and serving them the appropriate exploits. This malicious optimization of traffic has been an active strategy for several years, with the attackers realizing that the more exploits they introduce within their kits, the higher the probability of infection.

Chart courtesy of Trusteer research published in August, 2009

Therefore, the increasing use of malicious PDFs can also be interpreted as the direct result of the millions of users using outdated and exploitable Adobe products, with the only preference a malicious attacker could have in this case remaining the incentive based on the 99% penetration of Adobe Flash on Internet-enabled PCs. But how is the possible that with such a high market share, ScanSafe's report shows that Adobe Acrobat/Reader exploits grew while the use of Flash exploits declined?

Naturally, there are malicious attackers with clear preferences, based on a number of factors.  Some of the widespread client-side exploit serving campaigns launched in the wild over the past few months, act as a good example of how cybercriminals actively monitor the metrics generated from their malicious campaigns, and tailor their exploitation tactics based on third-party application or browser plugins that contributed to most of the successful infections.

What these campaigns have in common, is the clear preference towards using Adobe Acrobat/Reader exploits only. Interestingly, the cybercriminals maintaining them are also relying on the KISS principle (Keep It Simple Stupid), since the campaigns are not necessarily exploiting the very latest flaws in Adobe's product line.

Case in point is the exclusive use of CVE-2007-5659; CVE-2008-2992; CVE-2008-0015; CVE-2009-0927; and CVE-2009-4324, with their choice either based on the already gathered metrics, which not surprisingly include traffic logs based on the hundreds of thousands of visitors hitting their fraudulent online properties. In this case, why would they bother buying a zero day on the underground market, when they already know that millions of end users are susceptible to exploits released two years ago? They won't.

Despite that the data speaks for itself, Adobe's products are among the countless number of applications and browser plugins that you're currently using. Making sure that you're running the latest versions, combined with the use of a browser allowing you to take full control of your browsing experience with security in mind, is highly recommended.

What do you think - are Adobe's products insecure in general, is the company leaving the "window of opportunity" wide open for too long, or are their products on the top of the exploitation list due to the fact that millions of users continue using old versions of the company's software?


Topics: Enterprise Software, Security

Dancho Danchev

About Dancho Danchev

Dancho Danchev is an independent security consultant and cyber threats analyst, with extensive experience in open source intelligence gathering, malware and cybercrime incident response.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • All of the above.

    [b] [/b]
    • Spot On Observation (nt)

      • L....A....Z....Y...

        Adobe "IS" Seriously lazy... Not to mention they
        suck at security...
    • RE: Report: Malicious PDF files comprised 80 percent of all exploits for 2009

      Very nice post. Loved the quotes! <a href="">ugg boots outlet</a>
    • RE: Report: Malicious PDF files comprised 80 percent of all exploits for 2009

      he's very underrated,thanks <a href="">replica watches</a>
    • RE: Report: Malicious PDF files comprised 80 percent of all exploits for 2009

      I dare you to post this in _fb. <a href="">discount uggs</a>
    • 111

      <a href="">rolex replica watches</a>
    • 1

      <a href="">chanel replica</a>
  • the solution is to

    use Linux instead of windoze.
    No Linux machine has ever been infected by a pdf file.
    Linux Geek
    • Your solution is not often an option

      But there are alternative readers that don't have the vulnerabilities that the Adobe readers have. I use PDF-Xchange Viewer.
    • Wrong - Linux is not imune to PDF vulnerabilites

      The same vulnerabilities exist in Adobe Acrobat on Linux. (Read the first user comment. His Linux system is infected.)

      Linux users have a "real problem" when they perceive it to be so secure. That is one of its biggest insecurities.
      • many linux users don't use adobe

        For example, rather than using Adobe Acrobat, I'm using the built in PDF reader for Ubuntu. After install Mozplugger, PDFs will open "inside" the browser in much the same way as if I were using Adobe Acrobat except without the exploits.

        Every Linux system has a built in way to open PDFs without the need for that exploit filled application.
        • So? Many Windows users don't use Adobe either

          There are many non-Adobe PDF readers available for Windows too. They aren't susceptible to the Adobe bugs either, although I am sure that many of them, and many of the Linux alternative readers, all have their own subtle and not-so-subtle bugs and vulns.

          Every Windows system has a built in way to open PDF's without the need for that exploit filled application.

          It still doesn't avert the fact that Adobe's PDF Reader and Flash add-ins for ALL OS' are riddled with bugs and need to be code scrubbed and hardened ASAP.
          • Well said

          • The crucial difference is..

   Windows, Adobe's crap comes by default.
            And most people just leave the defaults.
          • Yet another missinformed zelot

            Yet another missinformed zelot


            that one needs no interaction except to click the pdf file You linux zelots are forever putting your foots in your mouths and looking the fools. Grow up linux is not more secure,its not faster,its not better.
          • Most Linux distros use Evince or Sumatra, genius.

            [b] [/b]
    • LINUX and OSX are NOT magical

      For the record I use OSX at home, Windows and Backtrack at work. I am not a hater. That said:

      Apple cult members: there aren't as many exploits on Macs ONLY because hackers do not target them as much. The very 1st virus ever developed was for an Apple system. It is irresponsible to tell people they have nothing to worry about and shouldn't take due care in protecting their Macs.

      Penguin worshipers: there aren't as many exploits on Linux boxes ONLY because hackers do not target them as much. Linux systems are open to exploit almost as much as an MS OS system. Depending on the generosity of hackers is a dangerous thing.

      Lock down your systems and prepare for your systems, fueled by Redmond hatred to suffer exploits. After all, Adobe is not going to help you.
      • That's probably because it was the very first system.

        Kind of like how the first car to break down as
        from Benz, yet that doesn't mean a Mercedes-Benz
        is worse than (or even as bad as) certain other

        And why would hackers be less likely to target
        the systems running most of the Internet?

        Also, penguins own. They are birds but they
        fucking SWIM, in ICE WATER! Respect the Emperor
      • That Old Tired Volume Arguement

        Market Share needs to be carefully defined. It is true that Microsoft has a majority of the desktop market, whatever that may mean. This does not mean, and is not true, that Microsoft has anything like a majority elsewhere.

        Microsoft leveraging off its market share gets its acolytes and drones to spout the market share means more attacks and hence more successful attacks mantras. But repetition, however vehement does not make something true, or even plausible. Good journalists know that, and IT professionals that have worked in more than one operating system environment know that.

        Here are some counter examples.

        1.Microsoft IIS is not anything like the majority of the web server market. Here are three prominent sites that have failed recently, MySchool, CFA and Myki. All run IIS. Name three apache2 based server sites of the same criticality that have failed or been compromised.

        2.Microsoft server variants are not anything like the majority of severs out there, especially if one removes stray false instances, or calculates on the basis of population served rather than number of servers. They do, however constitute the majority of the compromises, see CERT.

        We do not pull punches naming Toyota for making faulty cars, why do we pull back on Microsoft for making flawed operating systems?