PDF files and Adobe Reader should be security priority for 2010, says Qualys

The frequency and severity of security flaws in Adobe's...

The frequency and severity of security flaws in Adobe's Reader software make it a top priority for IT security managers in 2010, says security firm Qualys.

Adobe Reader is an attractive target for attackers because the free, cross-platform software has a large installed base and is widely used by business to access Portable Document Format (PDF) files.

Hackers are able to craft seemingly innocent PDF documents that contain everything necessary to exploit the victim's computer without needing to download anything.

According to Sans Internet Storm Center analyst Bojan Zdrnja, there is evidence of a high level of skill in recently analysed Adobe Reader exploit code.

"If we are to judge the new year by the sophistication the attackers have started using, it does not look too good," he wrote in a blog post.

Organisations need to come up with a plan for dealing with PDF file attacks in 2010 as a matter of urgency, said Wolfgang Kandek, chief technology officer at Qualys.

"No matter what the final decision is, it is essential to update to the latest software version or use an alternative PDF reader less scrutinised by attackers," he said.

Adobe has announced that it is to release patches for current vulnerabilities in Adobe Reader on 12 January to coincide with Microsoft's monthly Patch Tuesday security update.

The firm has released a separate security advisory on what steps system administrators can take to mitigate against exploitation of the vulnerabilities in Adobe Reader until the patch is released.

Read more on Hackers and cybercrime prevention