Adobe Flaw May Be 'Worst' Bug Of 2007 - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Software // Enterprise Applications

Adobe Flaw May Be 'Worst' Bug Of 2007

Security researchers are beginning to think the problem is much worse than first thought, although Adobe promises a fix by next week.

Adobe has promised to patch buggy versions of its popular Reader software next week to close a cross-site scripting vulnerability that some researchers say has the potential to be the worst of all 2007.

The vulnerability in Adobe Reader and an associated browser plug-in was first publicized Wednesday by security firms, which said the bug could let hackers misuse trusted Adobe PDF (Portable Document Format) files as carriers of malicious JavaScript code.

Adobe, which had earlier promised to patch the vulnerable versions of Reader, posted a security advisory late Thursday with details of the bug. "A cross-site scripting (XSS) vulnerability in versions 7.0.8 and earlier of Adobe Reader and Acrobat 7.0.8 could allow remote attackers to inject arbitrary JavaScript into a browser session," the advisory read. It did not divulge a specific day next week for its patch release, and recommended that users update to version 8 of Reader or Acrobat if possible.

"For users who cannot upgrade to Reader 8, the Secure Software Engineering team is working with the Adobe Reader Engineering team on a 7.0.9 update to versions 7.0.8 and earlier of Adobe Reader and Acrobat that will resolve this issue, which is expected to be available in the next week," the advisory said. The patches will come none to soon for some security researchers. While Adobe itself tagged the XSS bug as "important" and Danish vulnerability tracker Secunia has labeled it as "moderately critical," others are say that the flaw is much more dangerous than first thought.

"At first I didn't think that this was that bad, since just about every site is vulnerable [to cross-site scripting] anyway. It was interesting, that's all," says Jeremiah Grossman, the chief technology officer of WhiteHat Security. "But a hacker named 'RSnake' has shown that it's possible to set up a malicious URL that points to a default PDF file location on the local system. When that happens, the attacker is granted access to all local files, at least with read access."

Although it's not yet clear if an attacker would have write access -- necessary to introduce other code remotely to, for example, plant on-disk spyware or hijack the computer with a bot -- just the possibility is scary. "We've not been able to verify [write access]," says Grossman. "People are still learning about this; it's only been a couple of days."

An attack would be simple to execute, Grossman says. All a criminal has to do is locate a PDF on a public Web site, craft a link to the PDF that includes appended JavaScript code, then get a user to click on that link, probably by duping users with spammed e-mail or instant messages. "Any place where a user is likely to see and click [the link]," says Grossman. Once the link's clicked, the JavaScript executes, and the attacker can move on to any traditional XSS malfeasance, such as capturing keystrokes, stealing browser histories, and masking fraudster phishing sites.

"The vulnerability is very pervasive as it lowers the hackability bar from the target Web site needing to have an XSS issue to simply hosting a PDF," Grossman says. "This has the potential to be the number one worst vulnerability of 2007. Had this come out two weeks ago, it would have definitely made the top 10 list for 2006."

The XSS exploits against Reader and Acrobat work only in specific combinations of browsers and Adobe software, but even that was up in the air Friday. Adobe has yet to finish its testing, and while Symantec laid out claims Thursday, a rival security vendor contested the findings.

"The data provided by Symantec doesn't match up with multiple in-depth tests performed with our labs," says Ken Dunham, director of VeriSign iDefense's rapid response team. "IE 6.x is not vulnerable with Adobe Acrobat 7.x and up," Dunham says. "We ran confirmation against last night just to make sure."

iDefense's testing said that all versions of IE 6.x running Reader/Acrobat 6.0.1 and earlier were at risk, as were the Windows versions of Firefox and when running Reader/Acrobat 7.0.8 and earlier. Also vulnerable: Opera 9.x running Reader/Acrobat 7.0.8.

WhiteHat's Grossman acknowledged that testing was in flux, and that some vendors were getting conflicting results.

More important than the browser-Adobe combinations that are, or aren't, at risk, however, is the sure bet that cross-site scripting vulnerabilities will be big in 2007.

"They're going to be the attack of 2007. We may be sick of hearing about cross-site scripting, but it's just getting started," Grossman said.

When Adobe posts patches for the 7.0.8 and earlier line of Reader and Acrobat next week, they will appear on the company's support Web site. Version 8 of Reader, which is immune to the XSS bug, can be downloaded free-of-charge from here.

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
InformationWeek Is Getting an Upgrade!

Find out more about our plans to improve the look, functionality, and performance of the InformationWeek site in the coming months.

10 Things Your Artificial Intelligence Initiative Needs to Succeed
Lisa Morgan, Freelance Writer,  4/20/2021
Tech Spending Climbs as Digital Business Initiatives Grow
Jessica Davis, Senior Editor, Enterprise Apps,  4/22/2021
Optimizing the CIO and CFO Relationship
Mary E. Shacklett, Mary E. Shacklett,  4/13/2021
White Papers
Register for InformationWeek Newsletters
Current Issue
Successful Strategies for Digital Transformation
Download this report to learn about the latest technologies and best practices or ensuring a successful transition from outdated business transformation tactics.
Flash Poll