Adobe has promised to patch buggy versions of its popular Reader software next week to close a cross-site scripting vulnerability that some researchers say has the potential to be the worst of all 2007.
"For users who cannot upgrade to Reader 8, the Secure Software Engineering team is working with the Adobe Reader Engineering team on a 7.0.9 update to versions 7.0.8 and earlier of Adobe Reader and Acrobat that will resolve this issue, which is expected to be available in the next week," the advisory said. The patches will come none to soon for some security researchers. While Adobe itself tagged the XSS bug as "important" and Danish vulnerability tracker Secunia has labeled it as "moderately critical," others are say that the flaw is much more dangerous than first thought.
"At first I didn't think that this was that bad, since just about every site is vulnerable [to cross-site scripting] anyway. It was interesting, that's all," says Jeremiah Grossman, the chief technology officer of WhiteHat Security. "But a hacker named 'RSnake' has shown that it's possible to set up a malicious URL that points to a default PDF file location on the local system. When that happens, the attacker is granted access to all local files, at least with read access."
Although it's not yet clear if an attacker would have write access -- necessary to introduce other code remotely to, for example, plant on-disk spyware or hijack the computer with a bot -- just the possibility is scary. "We've not been able to verify [write access]," says Grossman. "People are still learning about this; it's only been a couple of days."
"The vulnerability is very pervasive as it lowers the hackability bar from the target Web site needing to have an XSS issue to simply hosting a PDF," Grossman says. "This has the potential to be the number one worst vulnerability of 2007. Had this come out two weeks ago, it would have definitely made the top 10 list for 2006."
The XSS exploits against Reader and Acrobat work only in specific combinations of browsers and Adobe software, but even that was up in the air Friday. Adobe has yet to finish its testing, and while Symantec laid out claims Thursday, a rival security vendor contested the findings.
"The data provided by Symantec doesn't match up with multiple in-depth tests performed with our labs," says Ken Dunham, director of VeriSign iDefense's rapid response team. "IE 6.x is not vulnerable with Adobe Acrobat 7.x and up," Dunham says. "We ran confirmation against last night just to make sure."
iDefense's testing said that all versions of IE 6.x running Reader/Acrobat 6.0.1 and earlier were at risk, as were the Windows versions of Firefox 188.8.131.52 and 184.108.40.206 when running Reader/Acrobat 7.0.8 and earlier. Also vulnerable: Opera 9.x running Reader/Acrobat 7.0.8.
WhiteHat's Grossman acknowledged that testing was in flux, and that some vendors were getting conflicting results.
More important than the browser-Adobe combinations that are, or aren't, at risk, however, is the sure bet that cross-site scripting vulnerabilities will be big in 2007.
"They're going to be the attack of 2007. We may be sick of hearing about cross-site scripting, but it's just getting started," Grossman said.
When Adobe posts patches for the 7.0.8 and earlier line of Reader and Acrobat next week, they will appear on the company's support Web site. Version 8 of Reader, which is immune to the XSS bug, can be downloaded free-of-charge from here.