Researcher: Rogue PDFs account for 80 percent of all exploits

by Gregg Keizer, Computerworld

... According to ScanSafe of San Bruno, Calif., vulnerabilities in Adobe’s Reader and Acrobat applications were the most frequently targeted of any software during 2009, with hackers’ PDF exploits growing throughout the year.

In the first quarter of 2009, malicious PDF files made up 56 percent of all exploits tracked by ScanSafe. That figure climbed above 60 percent in the second quarter, over 70 percent in the third and finished at 80 percent in the fourth quarter.

“PDF exploits are usually the first ones attempted by attackers,” said Mary Landesman, a ScanSafe senior security researcher, referring to the multi-exploit hammering that hackers typically give visitors to malicious Web sites. “Attackers are choosing PDFs for a reason. It’s not random. They’re establishing a preference for Reader exploits.”

Landesman, the author of ScanSafe’s just-published annual threat report , said that attackers’ preferences for PDF exploits were clearly demonstrated by the data. Exactly why hackers choose Adobe as their prime target is tougher to divine, however ...

http://www.macworld.com/article/146474/2010/02/pdf_security.html?lsrc=rss_main

I can't really say I'm surprised.

is clicking on what looks like a weblink and instead of going to a page being forced to download a stupid pdf that opens in another application.

I could see putting something in a pdf it was a legal document you didn't want an edited, distorted version of floating around, but if you're just announcing a meeting or something, just put it in simple html--and leave the fucking flash out too for that matter. 99% of the time flash adds nothing to a page except the amount of time it takes to load.

I could see putting something in a pdf it was a legal document you didn't want an edited, distorted version of floating around

That's what public-key signing and encryption is for. PDFs can be edited just like HTML.

products may have similar vulnerabilities, but malware authors typically craft code that targets widely used programs

I haven't tracked the specifics, but I know Ghostscript and Poppler (the primary Linux and BSD PDF programs) simply refused to implement the parts of the standard that had inherent security problems.