Adobe Reader Flaw -Uncovered by Researchers

Discussion in 'Technology News' started by s18000rpm, Jan 4, 2007.

Thread Status:
Not open for further replies.
  1. s18000rpm

    s18000rpm ಠ_ಠ

    Joined:
    Mar 1, 2006
    Messages:
    5,608
    Likes Received:
    87
    Trophy Points:
    48
    Security researchers have discovered a cross-site scripting (XSS) vulnerability affecting the widely used Adobe Acrobat Reader software that could make it easy for attackers to launch malicious code.

    The flaw, revealed by security researchers Stefano Di Paola and Giorgio Fedon last week at the Chaos Communications Congress hacker convention in Berlin, could allow attackers to manipulate the Adobe Reader browser plug-in to execute arbitrary JavaScript on the client side simply by adding code to the URL of an online PDF file and getting users to click on the link.

    The XSS vulnerability is made possible by the Open Parameters feature in Adobe Reader, which makes it possible to open a PDF file using a URL and specify which content to show and how to display it.

    In a Wednesday advisory sent to its Deepsight threat management customers, Symantec warned that because Open Parameters exists in most Adobe Reader applications and browser plug-ins, the flaw could lead to a wave of XSS attacks against client-side targets.

    "We may be seeing one of the first significant developments where cross-site scripting attacks are delivered to the client side with extremely high target-to-compromise ratios," according to the Deepsight advisory.

    Attackers also could leverage the XSS vulnerability to steal cookie-based authentication credentials and launch additional attacks, Symantec noted.

    The flaw is easy to exploit because attackers don't need write access to a PDF document and can add malicious JavaScript to any PDF file link found online, according to a post on the SANS Internet Storm Center blog.

    Adobe Systems couldn't be reached for comment.

    The vulnerability affects Adobe Reader version 6.0.1 for Windows using Internet Explorer 6 and version 7.0.8 for Windows using Firefox 2.0.0.1, but Adobe has fixed the problem in version 8 of the Reader software.

    Security firm Secunia, which recommended upgrading to Adobe Reader 8.0 to fix the problem, didn't see the threat as serious, giving it a rating of "less critical," or 2 on a 5-point scale. Symantec Deepsight rated the severity of the flaw as 6.1 on a 10-point scale.

    Source: CRN NEWS
     
  2. Third Eye

    Third Eye gooby pls

    Joined:
    Apr 2, 2006
    Messages:
    4,293
    Likes Received:
    58
    Trophy Points:
    48
    Location:
    Not very far from you
    Thanks for the info.......
     
  3. Ankur Gupta

    Ankur Gupta Wandering in time...

    Joined:
    Nov 7, 2004
    Messages:
    1,293
    Likes Received:
    11
    Trophy Points:
    0
    Location:
    Delhi,India
    Yeah read that news in the newspapers today..
    thanx for the details..
     
  4. nitish_mythology

    nitish_mythology OSS Enthusiast!

    Joined:
    Sep 9, 2005
    Messages:
    664
    Likes Received:
    1
    Trophy Points:
    0
    Location:
    Hills of Kumaoun
    Newspaper discussing Adobe flaw!
    May I know the name?
     
Thread Status:
Not open for further replies.

Share This Page