Global Secure Systems - Acrobat Reader flaw opens many websites to XSS attacks

Home

Affiliated Sites and Services

• Team Mermaid
• GSS Ireland

• 2010
• 2009 Archive
• 2008 Archive
• 2007 Archive
• 2006 Archive
• 2005 Archive
• 2004 Archive
• 2003 Archive
• 2002 Archive

• January
• February
• March
• April
• May
• June
• July
• August
• September
• October
• November
• December

About RSS feeds

Acrobat Reader flaw opens many websites to XSS attacks

Security experts warned users Wednesday of a vulnerability in Adobe Acrobat Reader plug-in that makes websites that use PDFs susceptible to cross-site scripting (XSS) attacks and worms, as well as putting users at risk of theft of cookies and session information.

Initially disclosed by two security researchers, Stefano Di Paola and Giorgio Fedon, at the 23rd Chaos Communication Congress in Berlin last week, the vulnerability occurs in the Open Parameters feature in Acrobat Reader.

The function gives web developers the ability to pass parameters when a user opens a PDF file, but it also opens up the ability to execute JavaScript code on the client side, warned Symantec's Hon Lau on the company's blog.

"All the attacker has to do is find out who is hosting a PDF file on their Web server and then piggyback on it to mount an attack," Lau wrote. "What this means in a nutshell is that anybody hosting a PDF, including well-trusted brands and names on the Web, could have their trust abused and become unwilling partners in crime."

Researchers with Secunia only rated the threat as "less critical" and recommended upgrading to Acrobat Reader 8.0 to fix the problem, but other experts feel the threat is more pressing. Researchers at Symantec and VeriSign's iDefense warned customers that the vulnerability poses considerable risk due to the widespread use of and PDF browser plug-ins within most web sites.

"PDF files are trusted and very popular, making any significant PDF vulnerability a cause for concern," wrote Ken Dunham, director of the rapid response team at iDefense in an advisory sent on Wednesday.

The vulnerability affects all versions of FireFox and Internet Explorer (IE)6.0 SP1 and earlier. Dunham suggested users disable Adobe plug-in and JavaScript within FireFox and to fully patch IE to mitigate the threat.

Permalink Bookmark Digg this story

  |  About RSS feeds