RSS Alerts

Related Links

Related Stories

  • PDF attacks target defense community
    Evidence of further targeted attacks are surfacing, just days after Google and other technology companies announced that they had been the victims of a concerted campaign. This time, the attacks targeted PDFs of those in the US defense community, and occurred more recently.
  • Adobe finally jumps on silent update bandwagon
    It's official — Adobe is releasing an automatic silent updater for its PDF Reader product on April 13. The company confirmed the news to Infosecurity US this week.
  • Sophisticated zero-day hits Adobe Reader
    More details are emerging of a zero-day attack on Adobe's PDF reader and Acrobat applications, and security experts are calling it highly sophisticated. Moreover, anti-malware tools have been woefully poor at spotting it.
  • Adobe admits to another PDF security vulnerability
    Adobe has announced its latest zero-day security vulnerability in what has become a litany of such flaws this year - and this one won't be patched until halfway through January.
  • PDF attacks skyrocket, says Symantec
    Web-based attackers are increasingly targeting PDF files to compromise machines online, according to new figures released by Symantec. In the April version of its Internet Security Threat Report, the company revealed that half of all Web-based attacks in 2009 targeted PDF files, compared to just one in 10 attacks reported the previous year.

News

X-Force: Document vulnerabilities on the rise

26 February 2010

Adobe's PDF document format continued to take a bashing this week, after a report from IBM's X-Force security consulting arm singled out readers supporting the software company's de facto standard document format as a particular security worry.

The IBM X-Force 2009 Trend and Risk Report saw a marked rise in vulnerability disclosures for document readers and editors, along with multimedia applications. The year 2009 saw greater than 50% more vulnerability disclosures for these categories compared to 2008, the company noted. "Vulnerability disclosures for document readers and editors continued to soar, specifically with Portable Document Format (PDF) documents," X-Force said.

On the positive side, critical and high vulnerabilities with no patch have decreased in the past year in several key product categories, the report said. It took this as an indication that software vendors are responding more quickly to security issues by shipping patches more quickly.

Also encouraging was the decline in SQL injection vulnerabilities, which contributed to an overall 11% decrease in general vulnerabilities over the past 12 months. According to X-Force, this could mean that some of the 'low hanging' vulnerabilities that are easier to discover have been eliminated.

In keeping with prevailing trends, web application vulnerabilities are a major cause of security problems, said the report, which added that two-thirds of web application vulnerabilities have not been patched by the end of last year.

"A number of Web application vulnerabilities found by organizations has not decreased or become less of a threat," the report warned. Adding that "49% of vulnerabilities are related to web applications, with cross-site scripting disclosures surpassing SQL injection to take the top spot."

X-Force's hat-tip to PDF will no doubt be unwelcome news to Adobe, which is fighting its own security battles at the moment. The company continues to experience significant vulnerabilities in its PDF reader products, the most recent of which happened this month, and could have led to the remote execution of arbitrary code.

 

This article is featured in:
Application Security Internet and Network Security

 

Comment on this article

You must be registered and logged in to leave a comment about this article.

Copyright © 2010
Elsevier Ltd. All rights reserved.
Terms & Conditions | Privacy | Website Design Working with water