Adobe Flaw Means Trusted PDFs May Be Treacherous - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

IoT
IoT
Software // Enterprise Applications

Adobe Flaw Means Trusted PDFs May Be Treacherous

According to Symantec, any Adobe PDF file on the Internet could be used by hackers to run rogue JavaScript on a victimized PC.

Adobe's Reader browser plug-in has a significant flaw that can be exploited by attackers to snatch control of a PC from users running Firefox and Opera browsers, Symantec reported Wednesday.

According to Symantec, which issued a lengthy alert to customers of its DeepSight threat network early in the day, any Adobe PDF (Portable Document Format) file on the Internet could be used by hackers to run rogue JavaScript on the victimized PC.

"A weakness was discovered in the way that the Adobe Reader browser plug-in can be made to execute JavaScript code on the client side," said Symantec researcher Hon Lau on the company's security blog. The vulnerability stems from Adobe Reader's "Open Parameters" feature that lets developers pass parameters when opening a PDF file.

"Any Web site that hosts a PDF file can be used to conduct this attack," Lau continued. "All the attacker has to do is find out who is hosting a PDF file on their Web server and then piggyback on it to mount an attack. What this means in a nutshell is that anybody hosting a PDF, including well-trusted brands and names on the Web, could have their trust abused and become unwilling partners in crime."

Symantec's DeepSight team expressed worries that the flaw, even if quickly patched by Adobe, would lead to a flood of similar attacks. "The amount of Internet-accessible PDF files is significant [and] the amount of Web browsers with Acrobat plug-in capabilities is also prevalent in the majority of systems," the warning read. "This issue has the potential to redefine the conventional cross-site scripting paradigm we are used to.

"Even if the specific design flaw is quickly patched by Adobe we now know that 'universal' client based XSS vulnerabilities pose a real threat, and that the defensive modifications we must make in order to remediate them will a be significant undertaking."

Cross-site scripting vulnerabilities -- "XSS" for short -- are flaws that trick a user's browser into executing untrusted code, usually with the aim of hijacking the system or stealing passwords. Previously, XSS exploits have been limited to Web servers; in other words, the user has to be duped into visiting a malicious Web site.

In effect, said Symantec, the Adobe flaw proves that so-called "Universal XSS" vulnerabilities are possible. The term 'Universal' notes that a bug allows JavaScript to execute in a user's browser without the usual server-side XSS exploit code. "Since most XSS vectors to this point have been reliant on server side vulnerabilities, thus capping their ability to impact wide swaths of Internet users, this development has the potential to significantly change the landscape of conventional cross-site scripting attacks," the DeepSight analysis said.

Symantec referenced a recent paper presented by a pair of researchers -- Stefano Di Paola of the University of Florence (Italy) and Giorgio Fedon, a security consultant at Milan, Italy-based Emaze Networks. S.p.A. -- who originally disclosed the Reader plug-in problem.

"The ease in which this weakness can be exploited is breathtaking," said Symantec's Lau. The exploit could be delivered as a link within e-mail or instant messages, posted on blogs or forums, or as the DeepSight team warned, piggybacked on PDFs from normally-trusted sites.

After an initial analysis, Symantec said that the Adobe Reader XSS flaw works when Mozilla's Firefox 1.5 and Opera 9.10 browsers are used to view a malicious link, but that Microsoft's Internet Explorer 6 and IE 7 will both generate a JavaScript error when trying to open a PDF. Firefox 2.0, the most current version of the Mozilla open-source browser, also returns an error dialog, which reads "This operation is not allowed."

To deter such attacks, Symantec recommended that enterprises filter JavaScript at the firewall, and that all users consider disabling the Acrobat Reader plug-in within their browser. Inside Firefox 1.5, the latter can be accomplished by selecting Tools|Options|Downloads and clicking the "View & Edit Actions" button. In the resulting dialog, choose "PDF" and click "Change Action." Pick "Open them with the default application option," click "OK" and "Close" and "OK."

Adobe was not available for comment, and had not posted any information on the plug-in's XSS vulnerability on its support site or to its message forum.

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
News
How to Create a Successful AI Program
Jessica Davis, Senior Editor, Enterprise Apps,  10/14/2020
News
Think Like a Chief Innovation Officer and Get Work Done
Joao-Pierre S. Ruth, Senior Writer,  10/13/2020
Slideshows
10 Trends Accelerating Edge Computing
Cynthia Harvey, Freelance Journalist, InformationWeek,  10/8/2020
White Papers
Register for InformationWeek Newsletters
Video
Current Issue
[Special Report] Edge Computing: An IT Platform for the New Enterprise
Edge computing is poised to make a major splash within the next generation of corporate IT architectures. Here's what you need to know!
Slideshows
Flash Poll