Security risk pdf view cache download

Do some PDF files have "call home" routines that can send a ping or other data to a server when they are opened or edited? Anything special there? I'm most interested in answers that are relevant to Windows and Android, but am also interested in those relevant to linux, unix, OS X, and iOS, as well as OS-agnostic answers. One PDF-specific risk is that Adobe and third-party reader extensions are supported: your PDF viewer may have extra modules loaded, or may require them to open certain documents.

Examples include:. Both of these endeavour to constrain digital document use. At best, such features increase the attack surface, and at worst may deny you access to some of your files, report on your activity or otherwise take liberties with your privacy, documents, computer or network.

Sound familiar? Seems analogous to a browser and web page that needs Flash or a similar proprietary plugin. See also this question which covers PDF phone-home capability. Javascript, embedded multi-media including, but not limited to Flash and Xobjects external streams are at least some of the ways to achieve that.

PDFs can contain attachments , though not all readers support this, and those that do don't always visually indicate their presence. These can be any type of file, including another PDF. I consider this is a potential risk because it comes as a surprise to many people, and it may be used for stealth transfer.

The "Peachy" worm is a proof-of-concept example. Misplaced faith in native "security features" such as no-copy, no-print, no-edit. These are effectively discretionary controls, at the discretion of the viewer software itself. This show files which are simultaneously PDF, native binary executable,.

Metadata may leak information about the document origins or history. Sloppy redaction is also problem. See the Acrobat Application Security Guide for further details. There are two types of PDF passwords , in Adobe terminology the user and owner passwords.

The user password is used for encryption, the owner password is used for discretionary access control. These may be augmented by proprietary controls via extensions.

While this allows for bit AES password protected documents to open faster in Acrobat 9, it can also allow external brute-force cracking tools to attempt to guess document passwords more rapidly because fewer processor cycles are required to test each password guess.

Applies to Acrobat 9 PDF 1. As with Flash, I've long had concerns about Adobe Reader's approach to browser integration which can do nothing positive for the attack surface of a browser. With native browser support for PDFs this problem is shifting away from being an Acrobat issue at least. Sign up to join this community. The best answers are voted up and rise to the top. Stack Overflow for Teams — Collaborate and share knowledge with a private group.

Create a free Team What is Teams? Learn more. What are the security risks associated with PDF files? Ask Question. Asked 7 years ago. Active 8 months ago. Viewed 7k times. Still using the old version of the tool? Use of this tool is neither required by nor guarantees compliance with federal, state or local laws. Please note that the information presented may not be applicable or appropriate for all health care providers and organizations.

The Security Risk Assessment Tool is not intended to be an exhaustive or definitive source on safeguarding health information from privacy and security risks. We encourage providers, and professionals to seek expert advice when evaluating the use of this tool.

Open Survey. Security Risk Assessment Tool. SRA Tool Update. Paper-based version of the SRA 2.