Defending against malicious PDFs with SumatraPDF

We've seen it time and time again: someone sends an employee an email with a malicious attachment, they open the attachment and all hell breaks loose soon thereafter.

One enabler for this type of attack is widely used, bloated, buggy software. Opting instead for small (not many bells and whistles), unpopular software makes you safer. This is especially important when dealing with files from strangers (and any file attached to an email message should be considered coming from a stranger).

This is not to suggest un-installing Word and restricting yourself to WordPad. Rather, that opening files in a word processor that doesn't support macros, for example, makes you safer. 

The epitome of bloated popular software is probably the Adobe PDF Reader.

It's a huge download because it has every feature ever invented. The more code, the larger the attack surface. For example, the Adobe Reader includes Flash, an accident waiting to happen if there ever was one.

Any popular application is always going to be targeted by bad guys as it offers the most bang for the buck. You are therefore, safer as a lesser target. This is not fair to Adobe any more than avoiding Internet Explorer is fair to Microsoft. But, fairness is not my priority, Defensive Computing is.

And, the Adobe Reader has a third strike against it: a long history of security vulnerabilities.

Without question, if someone emails you a PDF file, opening it in the Adobe Reader is a Defensive Computing mistake.

This was illustrated last month in an article, Anatomy of a PDF Hack, by Tomer Bitton. The author, a security researcher, offered a step by step dissection of a malicious PDF file. It's one thing to  read about malicious PDFs, but quite another to see one up close and personal. As Bitton puts it:

PDFs are widely used business file format, which makes them a common target for malware attacks. Because PDFs have so many "features," hackers have learned how to hide attacks deep under the surface. By using a number of utilities, we are able to reverse engineer the techniques in malicious PDFs, providing insight that we can ultimately use to better protect our systems.

The malicious PDF in question started out by exploiting JavaScript, so a knee-jerk reaction is to disable JavaScript in your PDF viewer. But the problem is bigger than JavaScript.* The problem is bloated, buggy, popular software.

What to use instead?

Windows users have an excellent option, the SumatraPDF viewer.

Why SumatraPDF?

1. No bells and whistles. For example, SumatraPDF does not support either JavaScript or Flash. Less code makes for a smaller attack surface.

2. It's not popular so there is little reason for bad guys to find and target bugs in the software.

3. It's free

4. It's open source

5. It is available in two portable editions and a normally installed edition

6. It is actively developed

7. Unlike the Adobe Reader, it does not install software that runs when Windows boots  

8. Updates do not require a re-boot of the operating system   

9. It's fast 

To illustrate how feature-free Sumatra is, the screen shot below shows the available configuration options, all six of them. In contrast, version 4 of the Foxit PDF reader has 15 different categories of preferences, most with more than one option. How many options does the Adobe Reader offer? Frankly, I don't want to count them all.

That said, SumatraPDF does have one useful feature: it remembers where you were in a PDF file and when you re-open the same PDF it takes you back to where you left off. 

Portable versions of SumatraPDF are available both from the author, Krzysztof Kowalczyk and at Portableapps.com. Given a choice, I always prefer portable applications.
The portable version from the author is downloaded as a zip file containing a single SumatraPDF.exe file. Unzipped, the EXE is just over 4 megabytes. As with any portable application, I suggest renaming it to include a version number and/or a date.

In Firefox 5, the portable version of SumatraPDF can be made the default PDF viewer.

To do so, click on Tools -> Options -> Applications tab. Then find PDFs under the Content Type column (the exact name varies depending on the default Windows PDF viewer) and in the Action column, click on the drop-down and select "Use other...".  The portable edition of SumatraPDF may or may not be in the list of available applications for viewing PDFs. If not, click the Browse button and navigate to it. PDFs will open in SumatraPDF rather than a browser window. I did not try the normally installed version.

Chrome users already have another feature-light viewer built into their browser that shares many of the advantages of SumatraPDF.

Still, Chrome 12 users can make the portable version of SumatraPDF their PDF viewer by first making it the default PDF viewer for Windows. Then, enter "about:plugins" in the address bar and disabling the Chrome PDF Viewer is self-explanatory. Doing so causes the browser to fall back on the default PDF viewer for the operating system. 

According to the online manual,

The "full installer" version includes a browser plugin for Firefox, Chrome and Opera (Internet Explorer is not supported). It's not installed by default so you have to use installer's options button to install it. You might need to configure the browser too: enable Sumatra's PDF plugin and disable PDF plugin from other programs.

The author says that SumatraPDF works with Windows XP, Vista and 7. The documentation at portableapps.com also mentions Windows 2000 and Wine under *nix.
The latest version of SumatraPDF is 1.6 and it was released May 31, 2011. 
By default, SumatraPDF automatically checks for updates when you run it, but this can be disabled with one of the six configuration options.


This is not to argue that Sumatra necessarily be the only PDF viewer installed, rather that it be the default PDF viewer. Certainly there will be times that you need one of the bells and whistles provided by a more fully-featured application. Fine.

Just start out safe.

*Even if JavaScript in PDFs was the only issue, you still need to disable it on every computer you come into contact with (in possibly more than one PDF viewer), hope that the next version/release of your PDF viewer doesn't re-enable it by default and know how to enable it again for the rare PDF that needs it. And, the argument to use unpopular software extends to the operating system too. The malicious PDF analyzed in the article targeted Windows. Mac and Linux users would have been safe.  

No comments:

Post a Comment