PDF Current Threats
The chart below contains an overview of the most common PDF exploit threats. PDF is one of the most prevalent method for remote exploitation as victims can be easily sent targeted socially engineered emails with PDF attachments, or links to PDF files on websites, or drive-by exploitation via adding malicious PDFs to websites visited by a potential victim.
To view a real life sample document in the PDF Examiner, click the sample link, to download PoC code we recommend clicking through the CVE number link and follow the securityfocus.com BID link. Our ratings of High, Medium, and Low are based on the current frequency of attacks, older exploits included above Low are likely due to being contained in recent in multi-exploit PDFs which are quite frequent and contain several different exploits targeting a number of PDF Reader versions in the same attack. Exploits may affect Adobe Reader, Adobe Acrobat, Foxit Reader, etc.
More info on our PDF Examiner for detection and analysis of malicious PDFs. See the current Document Threats here.
Current PDF threatcon Medium: Targeted attacks using older patched exploits are common.
| Release | CVE ID | Description | Exploit | Status | Exploitability | Patch | PDF Examiner Sample |
|---|---|---|---|---|---|---|---|
2013-05-14 | Adobe PDF BMP RLE integer heap overflow. |
Targeted attacks started a week after the patch. | patched | Low - targeted attacks |
2013-05-14 > 11.0.02 / 9.5.4 |
||
2013-02-12 | Adobe PDF exploit and sandbox bypass. |
details not released | patched | Low - exploit not replicated |
2012-02-20 > 11.0.1 |
||
2012-02-15 | Adobe PDF Flash loads corrupted MP4. |
Adobe PDF potential zero day - exploit published 2012-02-15 for Flash player, not mitigated in PDF until 2012-04-10, seen in the wild 2012-04-20 in PDF | patched | Medium - targeted |
2012-04-10 > Reader 9.5.0 uses local Flash player (patched 2012-02-15 > Flash 11.1.102.55) |
||
2011-12-16 | Adobe PDF "PRC" memory corruption vulnerability. |
Adobe PDF zero day - no public advisory was issued pre-patch. | patched | Medium - targeted |
2011-12-16 > Reader 9.4.6 |
||
2011-12-06 | Adobe PDF U3D memory corruption vulnerability. Reported by Lockheed Martin. |
Adobe PDF zero day. See the Adobe advisory for more information. | patched | High |
2011-12-16 > Reader 9.4.6 |
||
2011-06-14 | Adobe DLL inclusion exploit (requires PDF and a malicious DLL in the same directory.) Reported by Mila Parkour. |
Adobe Flash zeroday. See the Adobe advisory for more information. | patched | Low |
2011-06-14 > Reader 9.4.4 / 10.1 |
||
2011-04-11 | Adobe Flash embedded in Office or PDF documents, Flash exploit used in Amnesty UK website seeding attack. Possible author @yuange1975. Reported by Mila Parkour. |
Adobe Flash zeroday. See the Adobe advisory for more information. | patched | High - current top exploit |
2011-04-21 > Reader 9.4.3 |
||
2011-03-14 | Adobe Flash vulnerability (discovered embedded in MS Excel XLS), mwtracker reported use in PDF affecting Acrobat and Reader, does not bypass protections of Reader X 10.0.1 sandboxing. Possible author @yuange1975. XLS used in RSA compromise. |
Adobe Flash zeroday. See the Adobe advisory for more information. | patched | High |
2011-03-21 > Reader 9.4.2 |
||
2010-11-04 | PDF Doc.printSeps memory corruption error. Reported by scup. |
Adobe PDF zeroday Doc.printSeps(). See for mitigation advice. | patched | Low - VUPEN reports code execution possible, working PoC unpublished |
2010-11-16 >9.4.1 |
||
2010-10-28 | Adobe Flash authplay exploit. Reported by Mila Parkour. |
Adobe Flash authplay exploit | High |
2010-11-16 >9.4.1 |
|||
2010-09-09 | Stack-based buffer overflow in CoolType.dll - parsing PDF embedded fonts. Reported by Mila Parkour. |
TrueType font - SING table descriptor string | Patched | High |
2010-10-05 >9.4 |
||
2010-09-15 | Unspecified vulnerability in Adobe Flash Player. Reported by Steven Adair from ShadowServer Foundation | embedded flash | Patched | Medium (used in Amnesty Hong Kong site seeding attack) |
2010-09-20 |
||
2010-08-05 | Integer overflow in CoolType.dll. Reported by Charlie Miller at BlackHat 2010 | TrueType font - with a large maxCompositePoints value in a Maximum Profile (maxp) table | Patched | Low |
2010-08-20 |
||
2010 March/2010-04 05 | Open/Launch embedded exe via built in functionality, ability to change user prompt text. Reported by Didier Stevens. | /Launch/Action | user prompt | Low |
2010-06-29 |
||
2010-06-08 | Adobe Flash DoABC handling | embedded Flash | Patched | Medium |
2010-06-10 |
||
2010-02-22 | LibTiff Integer Overflow (TIFF images). Reported by villys777. | TIFF image with overflow and shellcode. | Patched | High |
2010-02-16 |
||
2010-01-13 | NULL pointer dereference | unknown | Patched | Low (PoC unpublished) |
2010-01-12 |
||
2010-01-13 | DLL-loading vulnerability in 3D | 3D | Patched | Low |
2010-01-12 |
||
2010-01-13 | array boundary issue in U3D CLODProgressiveMeshDeclaration | malformed U3D data | Patched | Low |
2010-01-12 |
||
2009-12-15 | Use-after-free vulnerability in the Doc.media.newPlayer | media.newPlayer | Patched | High |
2010-01-12 |
||
2009-10-13 | Heap-based buffer overflow - FlateDecode Stream Predictor 02 Integer Overflow | crafted stream | Patched | Medium |
2009-10-13 |
||
2009-07-23 | Adobe Flash unspecified exploit | Embedded flash | Patched | Low |
2009-08-03 |
||
2009-04-30 | customDictionaryOpen buffer overflow - via long string in the second argument | customDictionaryOpen | Patched | Low |
2009-05-12 |
||
2009-04-30 | getAnnots Doc method - via a PDF file that contains an annotation, and has an OpenAction entry with JavaScript code that calls this method with crafted integer arguments | getAnnots | Patched | Low |
2009-05-12 |
||
2009-03-19 | Stack-based buffer overflow via a crafted argument to the getIcon method of a Collab object | Collab.getIcon | Patched | High |
2009-04-09 |
||
2009-03-09 | Foxit reader - authorization bypass and stack overflow | Open/Execute | Patched | Low |
2009-03-09 |
||
2009-02-20 | Buffer overflow JBIG2 image | JBIG2Decode | Patched | Low |
2009-03-18 |
||
2008-11-04 | Stack-based buffer overflow via the util.printf JavaScript function with a crafted format string argument | util.printf | Patched | High |
2008-11-04 |
||
2008-02-07 | Buffer overflow via specially crafted arguments to Collab.collectEmailInfo | Collab.collectEmailInfo | Patched | High |
2008-06-05 |
||
2007-09-21 | Vulnerability in Mailto | mailto | Patched | Low |
2007-11-16 |
Special thanks to Mila of Contagiodump for many of the samples noted above and to Symantec for the some of the earlier patch dates from Rise of PDF Malware (PDF whitepaper).
Please contact us for more information.
This page was last updated 2013-06-16 05:14:20