5

My email client will flag up PDFs as potentially insecure, but won't do the same for other document formats such as PPTs. Why is this?

AviD
  • 72,138
  • 22
  • 136
  • 218
fredley
  • 1,455
  • 1
  • 16
  • 25
  • 3
    See also [Which files are more insecure than others?](http://security.stackexchange.com/q/323/33) – AviD Mar 27 '12 at 10:34

3 Answers3

6

Well, that's really a question for the makers of your email client to answer, but in general if software blocks every file attachment of a particular type then it is for one of four reasons:

  • The file is directly executable, and so might have a virus in it
  • The file is indirectly executable - e.g. a Word document might contain Macros that execute when you open it
  • the file is encrypted and so you can't tell what it is or scan it for viruses
  • the file type is one whose reader application has a lot of known exploits

PDF probably falls into the latter category: Microsoft report that almost all of the document exploits they see are PDF files infected with Win32/Pdfjsc.

(This in the very interesting SIR volume 11)

Graham Hill
  • 15,394
  • 37
  • 62
  • 2
    PDFs would actually fit in the the three bottom categories. They can contain scripts, can be encrypted, and obviously Reader has a pretty bad history. – Doug Luxem Mar 27 '12 at 15:47
3

To answer your question directly, PDFs are less secure because Adobe has been plagued with security problems. It is 'easy' to embed malicious code into a pdf that Adobe Reader will not filter out.

Other document formats (Word, etc) can have the same problems, but they tend to have ways to mitigate the problem (if you use the most up-to-date version of their software), like the ability to turn off the execution of macros or embedded code.

As for your email client, it should be flagging ALL documents that can contain executable code (pdf, MS Office files, etc) as potentially insecure. A PPT can be infected just as easily as a PDF and by singling out PDFs, it is providing a false sense of security to its users. Users should treat all attached documents as potentially infected and not allow any code inside to run until the source can be verified.

schroeder
  • 123,438
  • 55
  • 284
  • 319
3

In very simple terms, because current Adobe PDF readers will interpret JavaScript in PDF files. Executable code in a data file opens a whole host off risk exposures. We've seen the fruits of that in many security vulnerability notices and compromises.

Why does your email client tag PDF but not PPT? Probably because PDF exposures have been in the front of everybody's mind in recent times. Still, there's a history of PPT files having some nasty security issues too. If file formats had feelings, I'm sure PDF would call that unfair.

In short, we're back to the effects of whitelisting vs. blacklisting. It's just the email vendor trying to say, "We think this is risky..." but obviously they're not being complete.

Jeff Ferland
  • 38,090
  • 9
  • 93
  • 171