Adobe's Reader browser plug-in has a significant flaw that can be exploited by attackers to snatch control of a PC from users running Firefox and Opera browsers, Symantec reported Wednesday.
"Any Web site that hosts a PDF file can be used to conduct this attack," Lau continued. "All the attacker has to do is find out who is hosting a PDF file on their Web server and then piggyback on it to mount an attack. What this means in a nutshell is that anybody hosting a PDF, including well-trusted brands and names on the Web, could have their trust abused and become unwilling partners in crime."
Symantec's DeepSight team expressed worries that the flaw, even if quickly patched by Adobe, would lead to a flood of similar attacks. "The amount of Internet-accessible PDF files is significant [and] the amount of Web browsers with Acrobat plug-in capabilities is also prevalent in the majority of systems," the warning read. "This issue has the potential to redefine the conventional cross-site scripting paradigm we are used to.
"Even if the specific design flaw is quickly patched by Adobe we now know that 'universal' client based XSS vulnerabilities pose a real threat, and that the defensive modifications we must make in order to remediate them will a be significant undertaking."
Cross-site scripting vulnerabilities -- "XSS" for short -- are flaws that trick a user's browser into executing untrusted code, usually with the aim of hijacking the system or stealing passwords. Previously, XSS exploits have been limited to Web servers; in other words, the user has to be duped into visiting a malicious Web site.
Symantec referenced a recent paper presented by a pair of researchers -- Stefano Di Paola of the University of Florence (Italy) and Giorgio Fedon, a security consultant at Milan, Italy-based Emaze Networks. S.p.A. -- who originally disclosed the Reader plug-in problem.
"The ease in which this weakness can be exploited is breathtaking," said Symantec's Lau. The exploit could be delivered as a link within e-mail or instant messages, posted on blogs or forums, or as the DeepSight team warned, piggybacked on PDFs from normally-trusted sites.
Adobe was not available for comment, and had not posted any information on the plug-in's XSS vulnerability on its support site or to its message forum.
Building A Mobile Business MindsetAmong 688 respondents, 46% have deployed mobile apps, with an additional 24% planning to in the next year. Soon all apps will look like mobile apps – and it's past time for those with no plans to get cracking.
Join us for a roundup of the top stories on InformationWeek.com for the week of December 14, 2014. Be here for the show and for the incredible Friday Afternoon Conversation that runs beside the program.