PDF vulnerabilities hit all time high
Attackers are increasingly using maliciously-created documents to take advantage of flawed reading software.

The number of exploits targeting flaws in PDF-reading software are now at an all time high.
The IBM's mid-year X-Force security report said that the amount of "veiled" exploits disclosed in the first half of 2009 were more than in the whole of 2008.
Adobe software has seen numerous patches and updates to fix flaws, while malware increasingly targets PDF software.
Senior technology specialist at IBM X-Force James Randell told IT PRO that there had been an "unusually" large number of attacks against systems that used documents that were deliberately "malformed". These took advantage of flaws in the PDF-reading software.
"It's a particularly interesting form of attack. It's where you have a document that basically has got embedded within it executable machine-language code," he said.
"What an attacker can do is if they construct the document in the right way, is make the reader trip over itself' internally and end up executing malicious code the attacker has embedded."
The code would then run with whatever security privilege the person using the reader had.
Get the ITPro daily newsletter
Sign up today and you will receive a free copy of our Future Focus 2025 report - the leading guidance on AI, cybersecurity and other IT challenges as per 700+ senior executives
"If they were an administrator reading a technical manual and they opened it up, then the malicious code will run with a high level of privilege and potentially do a lot of damage," Randell said.
This form of attack used social engineering techniques, such as embedding the malicious document in a fake email and sending it to a target.
-
RSAC Conference 2025: The front line of cyber innovation
ITPro Podcast Ransomware, quantum computing, and an unsurprising focus on AI were highlights of this year's event
-
Anthropic CEO Dario Amodei thinks we're burying our heads in the sand on AI job losses
News With AI set to hit entry-level jobs especially, some industry execs say clear warning signs are being ignored
-
The FBI says hackers are using AI voice clones to impersonate US government officials
News The campaign uses AI voice generation to send messages pretending to be from high-ranking figures
-
Employee phishing training is working – but don’t get complacent
News Educating staff on how to avoid phishing attacks can cut the rate by 80%
-
Russian hackers tried to lure diplomats with wine tasting – sound familiar? It’s an update to a previous campaign by the notorious Midnight Blizzard group
News The Midnight Blizzard threat group has been targeting European diplomats with malicious emails offering an invite to wine tasting events, according to Check Point.
-
This hacker group is posing as IT helpdesk workers to target enterprises – and researchers warn its social engineering techniques are exceptionally hard to spot
News The Luna Moth hacker group is ramping up attacks on firms across a range of industries with its 'callback phishing' campaign, according to security researchers.
-
Hackers are using Zoom’s remote control feature to infect devices with malware
News Security experts have issued an alert over a new social engineering campaign using Zoom’s remote control features to take over victim devices.
-
State-sponsored cyber groups are flocking to the 'ClickFix' social engineering technique
News State-sponsored hackers from North Korea, Iran, and Russia are exploiting the ‘ClickFix’ social engineering technique for the first time – and to great success.
-
Have I Been Pwned owner Troy Hunt’s mailing list compromised in phishing attack
Troy Hunt, the security blogger behind data-breach site Have I Been Pwned, has fallen victim to a phishing attack targeting his email subscriber list.
-
LinkedIn has become a prime hunting ground for cyber criminals – here’s what you need to know
News Cyber criminals are flocking to LinkedIn to conduct social engineering campaigns, research shows.