12 Replies Latest reply on Feb 7, 2013 6:20 AM by Rudy Pohl

    Will opening and resaving old PDFs in Acrobat XI make them safer?

    Rudy Pohl

      We almost 2000 of old PDF files on our website made with old versions of Acrobat. Will opening and resaving these old PDF files in Acrobat XI close the security holes and make them safer?

       

      We were told that this is the case by the Adobe sale rep when we bought Acrobat XI, but considering how much labour is invovled I would like a confirmation that this is true. We have recently been hacked and the indication is that access was gained via exploitation of a vulnerability in PDF file made with versions of Acrobat older than version 9.

       

      Can anyonw confirm my question definitively?

       

      Thanks,

      R.P.

        • 2. Re: Will opening and resaving old PDFs in Acrobat XI make them safer?
          Rudy Pohl Level 1

          Hi Dave:

           

          Do you know what we need to do to make them safe?

           

          I don't really even know what questions to ask, but we have been told that hundreds of our PDFs on our server which were created in Acrobat versions 9 and older are unsafe. As I wrote above the Adobe sales rep specially told us that resaving would make them version X1.

           

          We have already spent 10 hours in this process. Please help!

           

          Thanks,

          Rudy in Ottawa

          • 3. Re: Will opening and resaving old PDFs in Acrobat XI make them safer?
            Dave Merchant MVP & Adobe Community Professional

            If a file contains malicious content (JavaScript, Flash, etc.) then it will probably just crash Acrobat, so you wouldn't get the chance to re-save it anyway. If the exploit has been closed and Acrobat manages to open it, simply re-saving the file will not change its contents.

             

            The security model in the Acrobat Family protects the user via two systems - on Windows platforms the content of an untrusted PDF file executes in a sandbox, so it cannot access the system resources. Adobe also releases regular patches to close potential exploit routes by fixing bugs or disabling risky features, but all these measures are applied to the application, not to the file. The goal (which is very effective) is to ensure that the worst possible outcome of opening a malicious PDF file will be the app closing.

             

            Your first action needs to be to work out what "unsafe" means. Have some of your PDF files been maliciously-crafted to contain an exploit? It can't happen by accident. Simply being created in an older version does NOT make a PDF file "unsafe" - indeed it's the later versions of the PDF standard which allow the type of interactivity that often gets exploited, so a very old PDF is a safer PDF.

             

            If you know some of your PDFs have been tampered with, run them through an antivirus program and see what it reports - most of the well-known PDF exploit fingerprints are caught by desktop AV programs now. Discard anything that reports a positive, but there is absolutely no reason to "re-fry" all your documents. I have no idea what the sales rep was suggesting it for.

            • 4. Re: Will opening and resaving old PDFs in Acrobat XI make them safer?
              Rudy Pohl Level 1

              Wow, thanks Dave, good to know this, too bad we've already "re-fried" 1000 or the 2000 files.

               

              So can I get this clarified, are you saying that because the old PDF are actually safer than the newer version PDFs, we have just made 1000 files less safe than they were before we re-fried them? Should we upload copies of the older ones back onto our server?

               

              Thanks so much for this much needed technical assistance, I searched forever on the net to find some answers and could find any... really appreciate it.

               

              Rudy

              • 5. Re: Will opening and resaving old PDFs in Acrobat XI make them safer?
                Test Screen Name Most Valuable Participant

                I think the whole idea that your old PDF files are "unsafe" is as dubious as the idea that Acrobat XI would make them "safer". It sounds like arrant nonsense, to be frank. What leads you to this conclusion - a sales pitch, a software report, a personal opinion, a consultant's report, a worrying web page...? Perhaps we can help to make sense of it.

                • 6. Re: Will opening and resaving old PDFs in Acrobat XI make them safer?
                  George_Johnson MVP & Adobe Community Professional

                  We have recently been hacked and the indication is that access was gained via exploitation of a vulnerability in PDF file made with versions of Acrobat older than version 9.

                   

                  I'm curious about this. Can you provide more information about why you think this is the case? Is this the result of credible analysis or merely conjecture? If the former, can you provide more details?

                  • 7. Re: Will opening and resaving old PDFs in Acrobat XI make them safer?
                    Test Screen Name Most Valuable Participant

                    Perhaps this will shed some illumination

                     

                    Hackers have found weaknesses in the security in Acrobat, and I understand they have used this to do bad things.

                     

                    The solution to this is, for now

                    - ALWAYS be up to date with Acrobat, don't delay even a day putting on the latest updates

                    - take a certain amount of care with PDFs you get in unsolicited email or on untrusted web sites

                    - personaly, I turn off JavaScript in Acrobat & Reader's preferences

                     

                    In theory PDF files can be attacked by a virus, like an EXE file. If you get a hack attack EVERY FILE on your system is suspect and you shoud always go back completely to backups before the attacj.

                     

                    So, there may exist nasty PDF files. But it isn't that the PDF is old. When there is a hack attack it is probably that the SOFTWARE is old. Old PDF files aren't dangerous now if they were once safe, and files you made should be fine (UNLESS they were hacked by a bad person or virus, but being a 'new' file is no protection against that).

                     

                    So the advice to update to Acrobat XI to protect you against risks in PDF files is arguably good. Any advice to update your PDF files is simply nonsense.

                    • 8. Re: Will opening and resaving old PDFs in Acrobat XI make them safer?
                      Dave Merchant MVP & Adobe Community Professional

                      You haven't changed anything, so there is no need to roll back. If there was nothing wrong with the file in the first place, then re-saving it will have made no difference. Acrobat won't add or remove anything unless you tell it to - so aside from re-ordering the content for Fast Web View if it wasn't done first time round, you will probably find that the page content in the files you re-saved is bit-for-bit identical to the old ones.

                       

                      Later versions of the PDF standard allow inclusion of JavaScript and Flash content, which have in the past been the target for exploits. If your files don't contain those elements to begin with, they won't magically appear. The older versions (e.g. PDF/1.4) don't support as many of these features so by definition they are harder to use as a malware payload, but a PDF file of any version is not inherently 'unsafe'. Someone has to intentionally make it that way, and normally it has to be done with specialist tools. Pressing the wrong button in Acrobat won't generate a virus!

                       

                      Rudy Pohl wrote:

                       

                      So can I get this clarified, are you saying that because the old PDF are actually safer than the newer version PDFs, we have just made 1000 files less safe than they were before we re-fried them? Should we upload copies of the older ones back onto our server?

                      • 9. Re: Will opening and resaving old PDFs in Acrobat XI make them safer?
                        Rudy Pohl Level 1

                        Hi George:

                         

                        Our client's website was hacked and Google blocked and blacklisted the site. The first time I visited the site Microsoft Security Essentials (my local machines anti-virus protection) caught and quarentined some malware.  Here is the name and description of it:

                         

                        http://www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?name=Exploit%3aWin 32%2fPdfjsc.AEW&threatid=2147669992

                        • 10. Re: Will opening and resaving old PDFs in Acrobat XI make them safer?
                          Test Screen Name Most Valuable Participant

                          Thank for sharing that, it's describing a serious virus.

                           

                          Now, sometimes reports like this are "false hits" but we have to take them seriously.

                           

                          What it is describing is that it found a PDF infected with a virus. This is bad. There are several ways to sort this out, and I'll come back to that.

                           

                          What it isn't saying is "old PDFs bad" or "new PDFs good". What it does say is "

                          This malware exploits known vulnerabilities in Adobe Acrobat, and Adobe Reader. Install the updates available from the vendor so that your software is no longer affected by these vulnerabilities." Following more links, this is a problem fixed in 2010, by version 9.3.1.

                           

                          So...if your software is more recent than this, then the files won't hurt you.

                           

                          But... resaving files in the newest Acrobat won't (so far as I know) get rid of the problem just like that. So, how to fix the problem. It's a little hard to be certain in some cases because the details of the problem aren't widely shared, to keep more bad guys from doing worse things.

                           

                          * You can let an antivirus fix it, if it is able to fix it.

                          * You can remake the PDF from the source file

                          * I think there is a very good chance that printing the PDF to the Distiller printer will remove the virus, but I can't guarantee it.

                          • 11. Re: Will opening and resaving old PDFs in Acrobat XI make them safer?
                            Dave Merchant MVP & Adobe Community Professional

                            That specific exploit targeted a bug in the way TIFF image data was unpacked, so the malicious files will contain invalid bitmap image data that has been intentionally crafted to crash the application. It doesn't affect later versions of the Acrobat Family, but I doubt you will be able to open the affected files and re-save them - and if you did, it won't change the image data. Although Acrobat will no longer allow the exploit to take control, I doubt it will be able to parse the invalid data, so it'll just report the PDF as being corrupted.

                             

                            Usually if a website is hacked, completely new files will be added - it's way too much effort for a hacker to download your existing files, disassemble them, insert a virus and then re-deploy the PDFs. They will simply post their own file and include a link to it from one of the hacked pages - the PDF may not even be on your own server, it can be loaded in an iframe from anywhere.

                            • 12. Re: Will opening and resaving old PDFs in Acrobat XI make them safer?
                              Rudy Pohl Level 1

                              Hi Dave:

                               

                              We hired the services of a leading IT Security firm (Sucuri.net) to clean and fix the site and now do 24/7 monitoring. They found iframe insertions in multiple files. We now have 3 different levels of security systems in place on this large institutional site. It's been quite a ride this past week!

                               

                              Thanks for your excellent info.

                               

                              Rudy