Adobe has issued patches for critical vulnerabilities in their Acrobat and Acrobat Reader software widely used for creating and reading PDF documents. 12 fixes are included in the latest security updates, three are rated as Critical as they can be exploited to achieve arbitrary code execution. In other words, this means simply opening a specially crafted PDF document could allow an attacker to run malware on your computer system.
Adobe publishes security patches each month but they will not be automatically included when operating system patches are installed. Adobe provides its own software updates mechanism so Security Managers should ensure that automatic updates are turned on within the Adobe software (and all other third party software on your network) to ensure security updates are installed automatically each month.
PDF files are an attractive delivery mechanism for malware as they are widely used in business for invoices, contracts and other documents where editing is not required.
Email is a popular delivery mechanism for malware as it is the primary communication mechanism for most businesses in 2020.
Security Managers can help protect their networks from malware delivered by email by adopting a defence in depth strategy – combining several layers of protection:
- Scan incoming email for malware before it is delivered to end users
- Apply operating system security patches to email servers and users’ desktop computers promptly every month
- Provide Security Awareness training to help users spot suspicious emails and avoid opening malware loaded attachments that make it though
- Turn on automatic updates for third party software, such as PDF readers, to ensure security patches are applied as they are released