Internet Explorer Vulnerable To Adobe XSS Bug - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

IoT
IoT
Software // Enterprise Applications

Internet Explorer Vulnerable To Adobe XSS Bug

Adobe says that Reader 8.0, which was launched a month ago, was invulnerable to the cross-site scripting bug, and recommended that all users update to that version immediately.

In a turn-about from the day before, security researchers on Thursday reported that some versions of Microsoft's market-leading Internet Explorer browser are vulnerable to a critical bug in Adobe's popular Reader software.

The vulnerability in Adobe Reader's browser plug-in, which was publicized Wednesday by several security companies, can let hackers force trusted Adobe PDF (Portable Document Format) files to run malicious JavaScript code on victimized PCs.

Early Wednesday, Symantec researchers insisted that only Firefox 1.5 and Opera 9.10 were vulnerable to a possible exploit; by Thursday, however, additional research had confirmed that some versions of Internet Explorer are at risk. According to an updated DeepSight threat network alert, IE 6.0 on XP SP2 equipped with Adobe Reader 6, as well as IE 6 on XP SP1 running Reader 7, are vulnerable. Also at risk: Firefox 1.5, Firefox 2.0, and Opera 9.10 when running either Reader 6 or 7.

"Version 6 of Internet Explorer is impacted," says David Cole, director of Symantec's security response group. "The best way for enterprises and users to protect themselves is to update Adobe Reader."

Late Wednesday, Adobe said that Reader 8.0, which was launched a month ago, was invulnerable to the cross-site scripting (XSS) bug, and recommended that all users update to that version immediately. "We encourage all users to update to this latest version of Adobe Reader," an Adobe spokesman wrote in an e-mailed statement. "[We are] also working on updates to previous versions that will resolve this issue." Fixes will be posted to Adobe's security site when they are completed, he added.

"We haven't seen any exploit activity so far," says Symantec's Cole. "We really don't know how much it's been exploited, if at all."

But the attack potential is very serious, Cole says. "First it's the number of sites out there that have PDF files, so the ability to get someone to open a PDF that looks legitimate is big. That's the first leg of the stool. Then the ability to relink [a PDF] with new malicious instructions is huge. The feature is intended to be very flexible, very utilitarian. It's pretty darn flexible.

"In the third place, there are a lot of people with vulnerable versions of the Adobe software," Coles says.

An exploit could be as simple as a link to a PDF file embedded in an instant message, Cole theorizes. "The IM could say 'check out this file,' and you don't notice the gobbledygook after the PDF's [filename], so you click on it. You go to a site that looks legit, and because that's the URL you saw, you trust it. But then you get a message box that asks you to fill in your password information here or maybe it's a new promotion that asks you to fill in the blanks."

Although some security organizations downplayed the threat -- Danish bug tracker Secunia, for example, labeled the XSS flaw as "Moderately critical," the third step in its five-level scoring system -- Cole saw it as more dangerous because it might be a preview of what's to come.

"Plug-ins like Adobe and Flash are so full-featured and so popular on the Web, that they attract attackers," says Cole. "And by now most of the low-hanging fruit is gone. This is really complex software that hasn't faced the full attention of attackers."

Other researchers agree that users need to keep an eye on the situation. "It's trivial to reproduce and customize public exploit code for this," says Ken Dunham, director of VeriSign iDefense's rapid response team. "One of the main sites hosting code for this vulnerability has been hammered with traffic, showing great interest in this new exploit."

Adobe Reader 8 can be downloaded from the Adobe Web site. Failing that, security experts have recommended that affected users remove file type associations within their browsers. In Firefox 2.0, for example, users should select Tools|Options|Content and click "Manage" under the "File types" section, then pick "PDF" and click "Change Action." Finally they should choose "Open them with the default application option" and close the remaining dialog boxes.

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
Slideshows
9 Steps Toward Ethical AI
Cynthia Harvey, Freelance Journalist, InformationWeek,  5/15/2019
Commentary
How to Assess Digital Transformation Efforts
Lisa Morgan, Freelance Writer,  5/14/2019
Commentary
Is AutoML the Answer to the Data Science Skills Shortage?
Guest Commentary, Guest Commentary,  5/10/2019
White Papers
Register for InformationWeek Newsletters
Video
Current Issue
A New World of IT Management in 2019
This IT Trend Report highlights how several years of developments in technology and business strategies have led to a subsequent wave of changes in the role of an IT organization, how CIOs and other IT leaders approach management, in addition to the jobs of many IT professionals up and down the org chart.
Slideshows
Flash Poll