Adobe Flaw May Be 'Worst' Bug Of 2007 - InformationWeek
Software // Enterprise Applications
03:17 PM
[Dark Reading Crash Course] Finding & Fixing Application Security Vulnerabilitie
Sep 14, 2017
Hear from a top applications security expert as he discusses key practices for scanning and securi ...Read More>>

Adobe Flaw May Be 'Worst' Bug Of 2007

Security researchers are beginning to think the problem is much worse than first thought, although Adobe promises a fix by next week.

Adobe has promised to patch buggy versions of its popular Reader software next week to close a cross-site scripting vulnerability that some researchers say has the potential to be the worst of all 2007.

The vulnerability in Adobe Reader and an associated browser plug-in was first publicized Wednesday by security firms, which said the bug could let hackers misuse trusted Adobe PDF (Portable Document Format) files as carriers of malicious JavaScript code.

Adobe, which had earlier promised to patch the vulnerable versions of Reader, posted a security advisory late Thursday with details of the bug. "A cross-site scripting (XSS) vulnerability in versions 7.0.8 and earlier of Adobe Reader and Acrobat 7.0.8 could allow remote attackers to inject arbitrary JavaScript into a browser session," the advisory read. It did not divulge a specific day next week for its patch release, and recommended that users update to version 8 of Reader or Acrobat if possible.

"For users who cannot upgrade to Reader 8, the Secure Software Engineering team is working with the Adobe Reader Engineering team on a 7.0.9 update to versions 7.0.8 and earlier of Adobe Reader and Acrobat that will resolve this issue, which is expected to be available in the next week," the advisory said. The patches will come none to soon for some security researchers. While Adobe itself tagged the XSS bug as "important" and Danish vulnerability tracker Secunia has labeled it as "moderately critical," others are say that the flaw is much more dangerous than first thought.

"At first I didn't think that this was that bad, since just about every site is vulnerable [to cross-site scripting] anyway. It was interesting, that's all," says Jeremiah Grossman, the chief technology officer of WhiteHat Security. "But a hacker named 'RSnake' has shown that it's possible to set up a malicious URL that points to a default PDF file location on the local system. When that happens, the attacker is granted access to all local files, at least with read access."

Although it's not yet clear if an attacker would have write access -- necessary to introduce other code remotely to, for example, plant on-disk spyware or hijack the computer with a bot -- just the possibility is scary. "We've not been able to verify [write access]," says Grossman. "People are still learning about this; it's only been a couple of days."

An attack would be simple to execute, Grossman says. All a criminal has to do is locate a PDF on a public Web site, craft a link to the PDF that includes appended JavaScript code, then get a user to click on that link, probably by duping users with spammed e-mail or instant messages. "Any place where a user is likely to see and click [the link]," says Grossman. Once the link's clicked, the JavaScript executes, and the attacker can move on to any traditional XSS malfeasance, such as capturing keystrokes, stealing browser histories, and masking fraudster phishing sites.

"The vulnerability is very pervasive as it lowers the hackability bar from the target Web site needing to have an XSS issue to simply hosting a PDF," Grossman says. "This has the potential to be the number one worst vulnerability of 2007. Had this come out two weeks ago, it would have definitely made the top 10 list for 2006."

The XSS exploits against Reader and Acrobat work only in specific combinations of browsers and Adobe software, but even that was up in the air Friday. Adobe has yet to finish its testing, and while Symantec laid out claims Thursday, a rival security vendor contested the findings.

"The data provided by Symantec doesn't match up with multiple in-depth tests performed with our labs," says Ken Dunham, director of VeriSign iDefense's rapid response team. "IE 6.x is not vulnerable with Adobe Acrobat 7.x and up," Dunham says. "We ran confirmation against last night just to make sure."

iDefense's testing said that all versions of IE 6.x running Reader/Acrobat 6.0.1 and earlier were at risk, as were the Windows versions of Firefox and when running Reader/Acrobat 7.0.8 and earlier. Also vulnerable: Opera 9.x running Reader/Acrobat 7.0.8.

WhiteHat's Grossman acknowledged that testing was in flux, and that some vendors were getting conflicting results.

More important than the browser-Adobe combinations that are, or aren't, at risk, however, is the sure bet that cross-site scripting vulnerabilities will be big in 2007.

"They're going to be the attack of 2007. We may be sick of hearing about cross-site scripting, but it's just getting started," Grossman said.

When Adobe posts patches for the 7.0.8 and earlier line of Reader and Acrobat next week, they will appear on the company's support Web site. Version 8 of Reader, which is immune to the XSS bug, can be downloaded free-of-charge from here.

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
[Interop ITX 2017] State Of DevOps Report
[Interop ITX 2017] State Of DevOps Report
The DevOps movement brings application development and infrastructure operations together to increase efficiency and deploy applications more quickly. But embracing DevOps means making significant cultural, organizational, and technological changes. This research report will examine how and why IT organizations are adopting DevOps methodologies, the effects on their staff and processes, and the tools they are utilizing for the best results.
Register for InformationWeek Newsletters
White Papers
Current Issue
2017 State of IT Report
In today's technology-driven world, "innovation" has become a basic expectation. IT leaders are tasked with making technical magic, improving customer experience, and boosting the bottom line -- yet often without any increase to the IT budget. How are organizations striking the balance between new initiatives and cost control? Download our report to learn about the biggest challenges and how savvy IT executives are overcoming them.
Twitter Feed
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.
Flash Poll