In a turn-about from the day before, security researchers on Thursday reported that some versions of Microsoft's market-leading Internet Explorer browser are vulnerable to a critical bug in Adobe's popular Reader software.
Early Wednesday, Symantec researchers insisted that only Firefox 1.5 and Opera 9.10 were vulnerable to a possible exploit; by Thursday, however, additional research had confirmed that some versions of Internet Explorer are at risk. According to an updated DeepSight threat network alert, IE 6.0 on XP SP2 equipped with Adobe Reader 6, as well as IE 6 on XP SP1 running Reader 7, are vulnerable. Also at risk: Firefox 1.5, Firefox 2.0, and Opera 9.10 when running either Reader 6 or 7.
"Version 6 of Internet Explorer is impacted," says David Cole, director of Symantec's security response group. "The best way for enterprises and users to protect themselves is to update Adobe Reader."
Late Wednesday, Adobe said that Reader 8.0, which was launched a month ago, was invulnerable to the cross-site scripting (XSS) bug, and recommended that all users update to that version immediately. "We encourage all users to update to this latest version of Adobe Reader," an Adobe spokesman wrote in an e-mailed statement. "[We are] also working on updates to previous versions that will resolve this issue." Fixes will be posted to Adobe's security site when they are completed, he added.
"We haven't seen any exploit activity so far," says Symantec's Cole. "We really don't know how much it's been exploited, if at all."
But the attack potential is very serious, Cole says. "First it's the number of sites out there that have PDF files, so the ability to get someone to open a PDF that looks legitimate is big. That's the first leg of the stool. Then the ability to relink [a PDF] with new malicious instructions is huge. The feature is intended to be very flexible, very utilitarian. It's pretty darn flexible.
"In the third place, there are a lot of people with vulnerable versions of the Adobe software," Coles says.
An exploit could be as simple as a link to a PDF file embedded in an instant message, Cole theorizes. "The IM could say 'check out this file,' and you don't notice the gobbledygook after the PDF's [filename], so you click on it. You go to a site that looks legit, and because that's the URL you saw, you trust it. But then you get a message box that asks you to fill in your password information here or maybe it's a new promotion that asks you to fill in the blanks."
Although some security organizations downplayed the threat -- Danish bug tracker Secunia, for example, labeled the XSS flaw as "Moderately critical," the third step in its five-level scoring system -- Cole saw it as more dangerous because it might be a preview of what's to come.
"Plug-ins like Adobe and Flash are so full-featured and so popular on the Web, that they attract attackers," says Cole. "And by now most of the low-hanging fruit is gone. This is really complex software that hasn't faced the full attention of attackers."
Other researchers agree that users need to keep an eye on the situation. "It's trivial to reproduce and customize public exploit code for this," says Ken Dunham, director of VeriSign iDefense's rapid response team. "One of the main sites hosting code for this vulnerability has been hammered with traffic, showing great interest in this new exploit."
Adobe Reader 8 can be downloaded from the Adobe Web site. Failing that, security experts have recommended that affected users remove file type associations within their browsers. In Firefox 2.0, for example, users should select Tools|Options|Content and click "Manage" under the "File types" section, then pick "PDF" and click "Change Action." Finally they should choose "Open them with the default application option" and close the remaining dialog boxes.