Adobe calls for upgrades to mitigate vulnerability

Users urged to upgrade to Adobe Reader 8 and Acrobat 8 to best addresses a cross-site scripting flaw found in earlier versions

Adobe Systems is urging users to update to the latest versions of Adobe Reader and Acrobat to avoid being affected by a recently discovered cross-site scripting flaw in its software that allows attackers to run malicious JavaScript on a user's PC.

The discovery of the flaw has caused considerable industry concern because of the ease with which it can be exploited and because any Web site hosting PDF files could be used to conduct an attack.

In an e-mailed comment, an Adobe spokesman said that the company is aware of a flaw in 7.0.8 and earlier versions of Adobe Reader and Acrobat that allows "remote attackers to inject arbitrary JavaScript into a browser session. This is not a vulnerability in PDF. Specifically, this issue could occur when a user clicks on a malicious link to a PDF on the Web."

The vulnerability, rated as "important'' by Adobe, cannot be exploited to "execute native code or erase hard drives" on a victim's PC, said Pam Deziel, director of the company's platform business unit. "There are some straightforward ways to mitigate this risk."

Upgrading to Adobe Reader 8 and Acrobat 8 "addresses the issue immediately" she said. "For Acrobat and Reader customers who wish to stay with their current version, they can use their browser preferences to disable the Reader plug-in from opening within the browser."

Adobe will soon publish additional details on the vulnerability, together with specifics on the affected browsers and mitigation measures, the spokesman said without offering details. The information will be available at www.adobe.com/support/security. The company will also release patches next week for fixing the flaws in the affected versions of Adobe Reader and Acrobat, the spokesman said.

Adobe's moves come amid considerable industry concern over the seriousness of a vulnerability in an Adobe Reader feature called Open Parameters, which allows for additional commands to be sent to the program when opening a PDF file. The feature allows users "to open a PDF file using a URL or a command that specifies both the file to be opened, plus actions to be performed once the file is opened," according to an Adobe description.

But Adobe's apparent failure to properly validate the kind of actions that can be performed once the file is opened gives attackers a way to run malicious JavaScript on a user's browser, according to security analysts.

One example is that of an attacker creating a hostile Web site with a link to PDF file on a bank's Web site, said Ken Dunham, director of VeriSign's iDefense rapid response team. The link could contain malicious commands that are executed when it is clicked and the PDF file is opened in a browser, he said.

"Instead of clicking on a link to get a PDF file, you get more than you bargained for -- execution of hidden JavaScript statements" in a user's browser, Dunham said. The malicious JavaScript could be used to steal cookies, session keys and Web browsing data, he said.

Since the scripts would appear to be running in the context of the Web sites from which the PDFs are loaded, victims are unlikely to suspect or detect suspicious activity, said Billy Hoffman, lead research engineer at SPI Dynamics in Atlanta.

Usually, such cross-site scripting is the result of server-side security failures, Hoffman said. With the Adobe flaw, however, any company that hosts a PDF file on its Web site could find itself being co-opted in an attack, regardless of how secure their sites may otherwise be, he said.

The likelihood of attacks that take advantage of the flaw is high because of the widespread use of Adobe's software and the ease with which the flaw can be exploited, Dunham said. But the likely impact of such attacks at least appears to be fairly low, he said.

"We don't see anything more significant than stealing cookies and session data and that sort of thing," Dunham said. There have been some discussions about whether it is going to be possible to create a cross-site scripting worm to take advantage of the flaw, he said. But for now, this remains "unproven, undeveloped and relatively unlikely at this time," he said.

Join the newsletter!

Error: Please check your email address.
Rocket to Success - Your 10 Tips for Smarter ERP System Selection
Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Jaikumar Vijayan

Computerworld
Show Comments

Cool Tech

Breitling Superocean Heritage Chronographe 44

Learn more >

SanDisk MicroSDXC™ for Nintendo® Switch™

Learn more >

Toys for Boys

Family Friendly

Panasonic 4K UHD Blu-Ray Player and Full HD Recorder with Netflix - UBT1GL-K

Learn more >

Stocking Stuffer

Razer DeathAdder Expert Ergonomic Gaming Mouse

Learn more >

Christmas Gift Guide

Click for more ›

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Edwina Hargreaves

WD My Cloud Home

I would recommend this device for families and small businesses who want one safe place to store all their important digital content and a way to easily share it with friends, family, business partners, or customers.

Walid Mikhael

Brother QL-820NWB Professional Label Printer

It’s easy to set up, it’s compact and quiet when printing and to top if off, the print quality is excellent. This is hands down the best printer I’ve used for printing labels.

Ben Ramsden

Sharp PN-40TC1 Huddle Board

Brainstorming, innovation, problem solving, and negotiation have all become much more productive and valuable if people can easily collaborate in real time with minimal friction.

Sarah Ieroianni

Brother QL-820NWB Professional Label Printer

The print quality also does not disappoint, it’s clear, bold, doesn’t smudge and the text is perfectly sized.

Ratchada Dunn

Sharp PN-40TC1 Huddle Board

The Huddle Board’s built in program; Sharp Touch Viewing software allows us to easily manipulate and edit our documents (jpegs and PDFs) all at the same time on the dashboard.

George Khoury

Sharp PN-40TC1 Huddle Board

The biggest perks for me would be that it comes with easy to use and comprehensive programs that make the collaboration process a whole lot more intuitive and organic

Featured Content

Product Launch Showcase

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?