Adobe Reader hit by cross-site scripting flaw

By

Vulnerability could allow malicious code to be tied to files from trusted
sites.

Adobe Reader hit by cross-site scripting flaw
Vulnerability could allow malicious code to be tied to files from trusted
sites.

Security experts are warning of a vulnerability in Adobe Reader described as "trivially exploitable". 

The vulnerability leaves users exposed to a cross-site scripting (XSS) vulnerability, according to the SANS Internet Storm Centre. 

An XSS exploit involves an attacker tagging malicious code onto trusted content.

A spokesman for Adobe told vnunet.com that the vulnerability does not affect Adobe Reader 8, and recommended that users update Reader to the new version. Adobe is working on a patch for previous versions.

An attacker could exploit the PDF vulnerability through a specially crafted website or email message that links to a PDF on a trusted site.

In addition to the link to the PDF document, the attacker could add JavaScript code that will execute once a visitor clicks on the link and the document is opened in the PDF reader.

"The attacker does not need to have write access to the specified PDF document," explained the Gnucitizen blog, which also provided a proof-of-concept code for the exploit. 

"In order to get an XSS vector working you need to have a PDF file hosted on the target and that's about it. The rest is just a matter of your abilities and desires."

The vulnerability stems from a feature in Adobe Reader called 'open parameters' that allows the program to receive and execute code when a PDF file is downloaded and launched.

The feature was designed to allow for document-specific information, such as size parameters, to be built in to downloaded PDF files.

"Like most things in life this was a feature designed for benign use, but somebody has discovered that it can also be used for malicious purposes," Hon Lau, a senior security response engineer at Symantec, said in a blog posting. 

The flaw was first described by security researchers Stefano Di Paola and Giorgio Fedon, who presented the attack during a lecture on Web 2.0 application security at last month's Chaos Communication Congress in Berlin. 

The original discovery of the vulnerability has been credited to researcher Sven Vetsch. 

SANS recommends that users mitigate the vulnerability by disabling JavaScript.

Got a news tip for our journalists? Share it with us anonymously here.
Copyright ©v3.co.uk
Tags:
adobebycrosssiteflawhitreaderscriptingsecurity

Sponsored Whitepapers

See everything. Do more.
See everything. Do more.
Lindentech Secures Digital Identity with Zero Trust and Microsoft Entra
Lindentech Secures Digital Identity with Zero Trust and Microsoft Entra
Diamond IT Delivers GRC Transformation with Microsoft Purview
Diamond IT Delivers GRC Transformation with Microsoft Purview
Linktech Powers Energy Trader’s Essential Eight Compliance in Just Eight Weeks
Linktech Powers Energy Trader’s Essential Eight Compliance in Just Eight Weeks
Byte Delivers Future-Ready IT: Transforming Endpoint Security and Productivity with a Cloud-First Strategy
Byte Delivers Future-Ready IT: Transforming Endpoint Security and Productivity with a Cloud-First Strategy

Events

Most Read Articles

India's alarm over Chinese spying rocks CCTV makers

India's alarm over Chinese spying rocks CCTV makers
Woolworths' CSO is Optus-bound

Woolworths' CSO is Optus-bound
Hackers abuse modified Salesforce app to steal data, extort companies

Hackers abuse modified Salesforce app to steal data, extort companies
Cyber companies hope to untangle weird hacker codenames

Cyber companies hope to untangle weird hacker codenames
techpartner.news logo
Dave Stevens on Brennan's evolution and the need for Aussie tech unity
Dave Stevens on Brennan's evolution and the need for Aussie tech unity
Sydney's ITKnocks on contact centre AI and the slow death of the IVR
Sydney's ITKnocks on contact centre AI and the slow death of the IVR
"It's an exciting time to be part of the health and aged care sector"
"It's an exciting time to be part of the health and aged care sector"
Insicon founder Matt Miller on the coming 'tsunami' of compliance and educating boards about cyber security
Insicon founder Matt Miller on the coming 'tsunami' of compliance and educating boards about cyber security
Orro claims Australia first with managed digital asset discovery service
Orro claims Australia first with managed digital asset discovery service

Log In

  |  Forgot your password?