Adobe Flaw Means Trusted PDFs May Be Treacherous

According to Symantec, any Adobe PDF file on the Internet could be used by hackers to run rogue JavaScript on a victimized PC.

Gregg Keizer, Contributor

January 3, 2007

4 Min Read

Adobe's Reader browser plug-in has a significant flaw that can be exploited by attackers to snatch control of a PC from users running Firefox and Opera browsers, Symantec reported Wednesday.

According to Symantec, which issued a lengthy alert to customers of its DeepSight threat network early in the day, any Adobe PDF (Portable Document Format) file on the Internet could be used by hackers to run rogue JavaScript on the victimized PC.

"A weakness was discovered in the way that the Adobe Reader browser plug-in can be made to execute JavaScript code on the client side," said Symantec researcher Hon Lau on the company's security blog. The vulnerability stems from Adobe Reader's "Open Parameters" feature that lets developers pass parameters when opening a PDF file.

"Any Web site that hosts a PDF file can be used to conduct this attack," Lau continued. "All the attacker has to do is find out who is hosting a PDF file on their Web server and then piggyback on it to mount an attack. What this means in a nutshell is that anybody hosting a PDF, including well-trusted brands and names on the Web, could have their trust abused and become unwilling partners in crime."

Symantec's DeepSight team expressed worries that the flaw, even if quickly patched by Adobe, would lead to a flood of similar attacks. "The amount of Internet-accessible PDF files is significant [and] the amount of Web browsers with Acrobat plug-in capabilities is also prevalent in the majority of systems," the warning read. "This issue has the potential to redefine the conventional cross-site scripting paradigm we are used to.

"Even if the specific design flaw is quickly patched by Adobe we now know that 'universal' client based XSS vulnerabilities pose a real threat, and that the defensive modifications we must make in order to remediate them will a be significant undertaking."

Cross-site scripting vulnerabilities -- "XSS" for short -- are flaws that trick a user's browser into executing untrusted code, usually with the aim of hijacking the system or stealing passwords. Previously, XSS exploits have been limited to Web servers; in other words, the user has to be duped into visiting a malicious Web site.

In effect, said Symantec, the Adobe flaw proves that so-called "Universal XSS" vulnerabilities are possible. The term 'Universal' notes that a bug allows JavaScript to execute in a user's browser without the usual server-side XSS exploit code. "Since most XSS vectors to this point have been reliant on server side vulnerabilities, thus capping their ability to impact wide swaths of Internet users, this development has the potential to significantly change the landscape of conventional cross-site scripting attacks," the DeepSight analysis said.

Symantec referenced a recent paper presented by a pair of researchers -- Stefano Di Paola of the University of Florence (Italy) and Giorgio Fedon, a security consultant at Milan, Italy-based Emaze Networks. S.p.A. -- who originally disclosed the Reader plug-in problem.

"The ease in which this weakness can be exploited is breathtaking," said Symantec's Lau. The exploit could be delivered as a link within e-mail or instant messages, posted on blogs or forums, or as the DeepSight team warned, piggybacked on PDFs from normally-trusted sites.

After an initial analysis, Symantec said that the Adobe Reader XSS flaw works when Mozilla's Firefox 1.5 and Opera 9.10 browsers are used to view a malicious link, but that Microsoft's Internet Explorer 6 and IE 7 will both generate a JavaScript error when trying to open a PDF. Firefox 2.0, the most current version of the Mozilla open-source browser, also returns an error dialog, which reads "This operation is not allowed."

To deter such attacks, Symantec recommended that enterprises filter JavaScript at the firewall, and that all users consider disabling the Acrobat Reader plug-in within their browser. Inside Firefox 1.5, the latter can be accomplished by selecting Tools|Options|Downloads and clicking the "View & Edit Actions" button. In the resulting dialog, choose "PDF" and click "Change Action." Pick "Open them with the default application option," click "OK" and "Close" and "OK."

Adobe was not available for comment, and had not posted any information on the plug-in's XSS vulnerability on its support site or to its message forum.

About the Author(s)

Never Miss a Beat: Get a snapshot of the issues affecting the IT industry straight to your inbox.

You May Also Like

More Insights