Adobe Flaw Means Trusted PDFs May Be Treacherous - InformationWeek
Software // Enterprise Applications
03:00 PM

Adobe Flaw Means Trusted PDFs May Be Treacherous

According to Symantec, any Adobe PDF file on the Internet could be used by hackers to run rogue JavaScript on a victimized PC.

Adobe's Reader browser plug-in has a significant flaw that can be exploited by attackers to snatch control of a PC from users running Firefox and Opera browsers, Symantec reported Wednesday.

According to Symantec, which issued a lengthy alert to customers of its DeepSight threat network early in the day, any Adobe PDF (Portable Document Format) file on the Internet could be used by hackers to run rogue JavaScript on the victimized PC.

"A weakness was discovered in the way that the Adobe Reader browser plug-in can be made to execute JavaScript code on the client side," said Symantec researcher Hon Lau on the company's security blog. The vulnerability stems from Adobe Reader's "Open Parameters" feature that lets developers pass parameters when opening a PDF file.

"Any Web site that hosts a PDF file can be used to conduct this attack," Lau continued. "All the attacker has to do is find out who is hosting a PDF file on their Web server and then piggyback on it to mount an attack. What this means in a nutshell is that anybody hosting a PDF, including well-trusted brands and names on the Web, could have their trust abused and become unwilling partners in crime."

Symantec's DeepSight team expressed worries that the flaw, even if quickly patched by Adobe, would lead to a flood of similar attacks. "The amount of Internet-accessible PDF files is significant [and] the amount of Web browsers with Acrobat plug-in capabilities is also prevalent in the majority of systems," the warning read. "This issue has the potential to redefine the conventional cross-site scripting paradigm we are used to.

"Even if the specific design flaw is quickly patched by Adobe we now know that 'universal' client based XSS vulnerabilities pose a real threat, and that the defensive modifications we must make in order to remediate them will a be significant undertaking."

Cross-site scripting vulnerabilities -- "XSS" for short -- are flaws that trick a user's browser into executing untrusted code, usually with the aim of hijacking the system or stealing passwords. Previously, XSS exploits have been limited to Web servers; in other words, the user has to be duped into visiting a malicious Web site.

In effect, said Symantec, the Adobe flaw proves that so-called "Universal XSS" vulnerabilities are possible. The term 'Universal' notes that a bug allows JavaScript to execute in a user's browser without the usual server-side XSS exploit code. "Since most XSS vectors to this point have been reliant on server side vulnerabilities, thus capping their ability to impact wide swaths of Internet users, this development has the potential to significantly change the landscape of conventional cross-site scripting attacks," the DeepSight analysis said.

Symantec referenced a recent paper presented by a pair of researchers -- Stefano Di Paola of the University of Florence (Italy) and Giorgio Fedon, a security consultant at Milan, Italy-based Emaze Networks. S.p.A. -- who originally disclosed the Reader plug-in problem.

"The ease in which this weakness can be exploited is breathtaking," said Symantec's Lau. The exploit could be delivered as a link within e-mail or instant messages, posted on blogs or forums, or as the DeepSight team warned, piggybacked on PDFs from normally-trusted sites.

After an initial analysis, Symantec said that the Adobe Reader XSS flaw works when Mozilla's Firefox 1.5 and Opera 9.10 browsers are used to view a malicious link, but that Microsoft's Internet Explorer 6 and IE 7 will both generate a JavaScript error when trying to open a PDF. Firefox 2.0, the most current version of the Mozilla open-source browser, also returns an error dialog, which reads "This operation is not allowed."

To deter such attacks, Symantec recommended that enterprises filter JavaScript at the firewall, and that all users consider disabling the Acrobat Reader plug-in within their browser. Inside Firefox 1.5, the latter can be accomplished by selecting Tools|Options|Downloads and clicking the "View & Edit Actions" button. In the resulting dialog, choose "PDF" and click "Change Action." Pick "Open them with the default application option," click "OK" and "Close" and "OK."

Adobe was not available for comment, and had not posted any information on the plug-in's XSS vulnerability on its support site or to its message forum.

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
How Enterprises Are Attacking the IT Security Enterprise
How Enterprises Are Attacking the IT Security Enterprise
To learn more about what organizations are doing to tackle attacks and threats we surveyed a group of 300 IT and infosec professionals to find out what their biggest IT security challenges are and what they're doing to defend against today's threats. Download the report to see what they're saying.
Register for InformationWeek Newsletters
White Papers
Current Issue
2017 State of the Cloud Report
As the use of public cloud becomes a given, IT leaders must navigate the transition and advocate for management tools or architectures that allow them to realize the benefits they seek. Download this report to explore the issues and how to best leverage the cloud moving forward.
Twitter Feed
InformationWeek Radio
Archived InformationWeek Radio
Join us for a roundup of the top stories on for the week of November 6, 2016. We'll be talking with the editors and correspondents who brought you the top stories of the week to get the "story behind the story."
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.
Flash Poll