Adobe Flaw May Be 'Worst' Bug Of 2007 - InformationWeek
Software // Enterprise Applications
03:17 PM

Adobe Flaw May Be 'Worst' Bug Of 2007

Security researchers are beginning to think the problem is much worse than first thought, although Adobe promises a fix by next week.

Adobe has promised to patch buggy versions of its popular Reader software next week to close a cross-site scripting vulnerability that some researchers say has the potential to be the worst of all 2007.

The vulnerability in Adobe Reader and an associated browser plug-in was first publicized Wednesday by security firms, which said the bug could let hackers misuse trusted Adobe PDF (Portable Document Format) files as carriers of malicious JavaScript code.

Adobe, which had earlier promised to patch the vulnerable versions of Reader, posted a security advisory late Thursday with details of the bug. "A cross-site scripting (XSS) vulnerability in versions 7.0.8 and earlier of Adobe Reader and Acrobat 7.0.8 could allow remote attackers to inject arbitrary JavaScript into a browser session," the advisory read. It did not divulge a specific day next week for its patch release, and recommended that users update to version 8 of Reader or Acrobat if possible.

"For users who cannot upgrade to Reader 8, the Secure Software Engineering team is working with the Adobe Reader Engineering team on a 7.0.9 update to versions 7.0.8 and earlier of Adobe Reader and Acrobat that will resolve this issue, which is expected to be available in the next week," the advisory said. The patches will come none to soon for some security researchers. While Adobe itself tagged the XSS bug as "important" and Danish vulnerability tracker Secunia has labeled it as "moderately critical," others are say that the flaw is much more dangerous than first thought.

"At first I didn't think that this was that bad, since just about every site is vulnerable [to cross-site scripting] anyway. It was interesting, that's all," says Jeremiah Grossman, the chief technology officer of WhiteHat Security. "But a hacker named 'RSnake' has shown that it's possible to set up a malicious URL that points to a default PDF file location on the local system. When that happens, the attacker is granted access to all local files, at least with read access."

Although it's not yet clear if an attacker would have write access -- necessary to introduce other code remotely to, for example, plant on-disk spyware or hijack the computer with a bot -- just the possibility is scary. "We've not been able to verify [write access]," says Grossman. "People are still learning about this; it's only been a couple of days."

An attack would be simple to execute, Grossman says. All a criminal has to do is locate a PDF on a public Web site, craft a link to the PDF that includes appended JavaScript code, then get a user to click on that link, probably by duping users with spammed e-mail or instant messages. "Any place where a user is likely to see and click [the link]," says Grossman. Once the link's clicked, the JavaScript executes, and the attacker can move on to any traditional XSS malfeasance, such as capturing keystrokes, stealing browser histories, and masking fraudster phishing sites.

"The vulnerability is very pervasive as it lowers the hackability bar from the target Web site needing to have an XSS issue to simply hosting a PDF," Grossman says. "This has the potential to be the number one worst vulnerability of 2007. Had this come out two weeks ago, it would have definitely made the top 10 list for 2006."

The XSS exploits against Reader and Acrobat work only in specific combinations of browsers and Adobe software, but even that was up in the air Friday. Adobe has yet to finish its testing, and while Symantec laid out claims Thursday, a rival security vendor contested the findings.

"The data provided by Symantec doesn't match up with multiple in-depth tests performed with our labs," says Ken Dunham, director of VeriSign iDefense's rapid response team. "IE 6.x is not vulnerable with Adobe Acrobat 7.x and up," Dunham says. "We ran confirmation against last night just to make sure."

iDefense's testing said that all versions of IE 6.x running Reader/Acrobat 6.0.1 and earlier were at risk, as were the Windows versions of Firefox and when running Reader/Acrobat 7.0.8 and earlier. Also vulnerable: Opera 9.x running Reader/Acrobat 7.0.8.

WhiteHat's Grossman acknowledged that testing was in flux, and that some vendors were getting conflicting results.

More important than the browser-Adobe combinations that are, or aren't, at risk, however, is the sure bet that cross-site scripting vulnerabilities will be big in 2007.

"They're going to be the attack of 2007. We may be sick of hearing about cross-site scripting, but it's just getting started," Grossman said.

When Adobe posts patches for the 7.0.8 and earlier line of Reader and Acrobat next week, they will appear on the company's support Web site. Version 8 of Reader, which is immune to the XSS bug, can be downloaded free-of-charge from here.

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
How Enterprises Are Attacking the IT Security Enterprise
How Enterprises Are Attacking the IT Security Enterprise
To learn more about what organizations are doing to tackle attacks and threats we surveyed a group of 300 IT and infosec professionals to find out what their biggest IT security challenges are and what they're doing to defend against today's threats. Download the report to see what they're saying.
Register for InformationWeek Newsletters
White Papers
Current Issue
2017 State of the Cloud Report
As the use of public cloud becomes a given, IT leaders must navigate the transition and advocate for management tools or architectures that allow them to realize the benefits they seek. Download this report to explore the issues and how to best leverage the cloud moving forward.
Twitter Feed
InformationWeek Radio
Archived InformationWeek Radio
Join us for a roundup of the top stories on for the week of November 6, 2016. We'll be talking with the editors and correspondents who brought you the top stories of the week to get the "story behind the story."
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.
Flash Poll