PDF Current Threats


The chart below contains an overview of the most common PDF exploit threats. PDF is one of the most prevalent method for remote exploitation as victims can be easily sent targeted socially engineered emails with PDF attachments, or links to PDF files on websites, or drive-by exploitation via adding malicious PDFs to websites visited by a potential victim.

To view a real life sample document in the PDF Examiner, click the sample link, to download PoC code we recommend clicking through the CVE number link and follow the securityfocus.com BID link. Our ratings of High, Medium, and Low are based on the current frequency of attacks, older exploits included above Low are likely due to being contained in recent in multi-exploit PDFs which are quite frequent and contain several different exploits targeting a number of PDF Reader versions in the same attack. Exploits may affect Adobe Reader, Adobe Acrobat, Foxit Reader, etc.

More info on our PDF Examiner for detection and analysis of malicious PDFs. See the current Document Threats here.

Current PDF threatcon Medium: Targeted attacks using older patched exploits are common.

ReleaseCVE IDDescriptionExploitStatusExploitabilityPatchPDF Examiner Sample

2013-05-14

CVE-2013-2729

Adobe PDF BMP RLE integer heap overflow.

Targeted attacks started a week after the patch.

patched

Low - targeted attacks

2013-05-14 > 11.0.02 / 9.5.4

PDFExaminer report

2013-02-12

CVE-2013-0640 CVE-2013-0641

Adobe PDF exploit and sandbox bypass.

details not released

patched

Low - exploit not replicated

2012-02-20 > 11.0.1

PDFExaminer report

2012-02-15

CVE-2012-0754

Adobe PDF Flash loads corrupted MP4.

Adobe PDF potential zero day - exploit published 2012-02-15 for Flash player, not mitigated in PDF until 2012-04-10, seen in the wild 2012-04-20 in PDF

patched

Medium - targeted

2012-04-10 > Reader 9.5.0 uses local Flash player (patched 2012-02-15 > Flash 11.1.102.55)

Sample

2011-12-16

CVE-2011-4369

Adobe PDF "PRC" memory corruption vulnerability.

Adobe PDF zero day - no public advisory was issued pre-patch.

patched

Medium - targeted

2011-12-16 > Reader 9.4.6

Sample

2011-12-06

CVE-2011-2462

Adobe PDF U3D memory corruption vulnerability. Reported by Lockheed Martin.

Adobe PDF zero day. See the Adobe advisory for more information.

patched

High

2011-12-16 > Reader 9.4.6

sample sample 2

2011-06-14

CVE-2011-2100

Adobe DLL inclusion exploit (requires PDF and a malicious DLL in the same directory.) Reported by Mila Parkour.

Adobe Flash zeroday. See the Adobe advisory for more information.

patched

Low

2011-06-14 > Reader 9.4.4 / 10.1

sample

2011-04-11

CVE-2011-0611

Adobe Flash embedded in Office or PDF documents, Flash exploit used in Amnesty UK website seeding attack. Possible author @yuange1975. Reported by Mila Parkour.

Adobe Flash zeroday. See the Adobe advisory for more information.

patched

High - current top exploit

2011-04-21 > Reader 9.4.3

sample sample 2

2011-03-14

CVE-2011-0609

Adobe Flash vulnerability (discovered embedded in MS Excel XLS), mwtracker reported use in PDF affecting Acrobat and Reader, does not bypass protections of Reader X 10.0.1 sandboxing. Possible author @yuange1975. XLS used in RSA compromise.

Adobe Flash zeroday. See the Adobe advisory for more information.

patched

High

2011-03-21 > Reader 9.4.2

sample

2010-11-04

CVE-2010-4091

PDF Doc.printSeps memory corruption error. Reported by scup.

Adobe PDF zeroday Doc.printSeps(). See for mitigation advice.

patched

Low - VUPEN reports code execution possible, working PoC unpublished

2010-11-16 >9.4.1

Sample Sample 2

2010-10-28

CVE-2010-3654

Adobe Flash authplay exploit. Reported by Mila Parkour.

Adobe Flash authplay exploit

patched

High

2010-11-16 >9.4.1

Sample

2010-09-09

CVE-2010-2883

Stack-based buffer overflow in CoolType.dll - parsing PDF embedded fonts. Reported by Mila Parkour.

TrueType font - SING table descriptor string

Patched

High

2010-10-05 >9.4

Sample Sample 2

2010-09-15

CVE-2010-2884

Unspecified vulnerability in Adobe Flash Player. Reported by Steven Adair from ShadowServer Foundation

embedded flash

Patched

Medium (used in Amnesty Hong Kong site seeding attack)

2010-09-20

n/a report one

2010-08-05

CVE-2010-2862

Integer overflow in CoolType.dll. Reported by Charlie Miller at BlackHat 2010

TrueType font - with a large maxCompositePoints value in a Maximum Profile (maxp) table

Patched

Low

2010-08-20

n/a report one

2010 March/2010-04 05

CVE-2010-1240

Open/Launch embedded exe via built in functionality, ability to change user prompt text. Reported by Didier Stevens.

/Launch/Action

user prompt

Low

2010-06-29

Sample

2010-06-08

CVE-2010-1297

Adobe Flash DoABC handling

embedded Flash

Patched

Medium

2010-06-10

Sample

2010-02-22

CVE-2010-0188

LibTiff Integer Overflow (TIFF images). Reported by villys777.

TIFF image with overflow and shellcode.

Patched

High

2010-02-16

Sample

2010-01-13

CVE-2009-3957

NULL pointer dereference

unknown

Patched

Low (PoC unpublished)

2010-01-12

n/a report one

2010-01-13

CVE-2009-3954

DLL-loading vulnerability in 3D

3D

Patched

Low

2010-01-12

n/a report one

2010-01-13

CVE-2009-3953 CVE-2009-3959

array boundary issue in U3D CLODProgressiveMeshDeclaration

malformed U3D data

Patched

Low

2010-01-12

n/a report one

2009-12-15

CVE-2009-4324

Use-after-free vulnerability in the Doc.media.newPlayer

media.newPlayer

Patched

High

2010-01-12

Sample

2009-10-13

CVE-2009-3459

Heap-based buffer overflow - FlateDecode Stream Predictor 02 Integer Overflow

crafted stream

Patched

Medium

2009-10-13

Sample

2009-07-23

CVE-2009-1862

Adobe Flash unspecified exploit

Embedded flash

Patched

Low

2009-08-03

Sample

2009-04-30

CVE-2009-1493

customDictionaryOpen buffer overflow - via long string in the second argument

customDictionaryOpen

Patched

Low

2009-05-12

n/a report one

2009-04-30

CVE-2009-1492

getAnnots Doc method - via a PDF file that contains an annotation, and has an OpenAction entry with JavaScript code that calls this method with crafted integer arguments

getAnnots

Patched

Low

2009-05-12

n/a report one

2009-03-19

CVE-2009-0927

Stack-based buffer overflow via a crafted argument to the getIcon method of a Collab object

Collab.getIcon

Patched

High

2009-04-09

Sample

2009-03-09

CVE-2009-0836 CVE-2009-0837

Foxit reader - authorization bypass and stack overflow

Open/Execute

Patched

Low

2009-03-09

n/a report one

2009-02-20

CVE-2009-0658

Buffer overflow JBIG2 image

JBIG2Decode

Patched

Low

2009-03-18

Sample

2008-11-04

CVE-2008-2992

Stack-based buffer overflow via the util.printf JavaScript function with a crafted format string argument

util.printf

Patched

High

2008-11-04

Sample

2008-02-07

CVE-2008-0655 (CVE-2007-5659)

Buffer overflow via specially crafted arguments to Collab.collectEmailInfo

Collab.collectEmailInfo

Patched

High

2008-06-05

Sample

2007-09-21

CVE-2007-5020

Vulnerability in Mailto

mailto

Patched

Low

2007-11-16

n/a report one



Special thanks to Mila of Contagiodump for many of the samples noted above and to Symantec for the some of the earlier patch dates from Rise of PDF Malware (PDF whitepaper).

Please contact us for more information.

This page was last updated 2013-06-16 05:14:20