Security Flaw Discovered in Acrobat
Adobe has become the latest software giant to see its applications exposed to hack attacks, but experts suggest the problem might not be grave, even though its potential reach is vast.
Researchers Stefano di Paola and Giorgio Fedon have discovered a flaw in Adobe’s Acrobat system that would let any Web site hosting a Portable Document Format (PDF) file unwittingly aid hackers in assaulting end users’ computers.
The flaw does not occur in Acrobat or the Acrobat reader directly, but in the Web browser plug-in that lets PDF documents be read directly over the Internet in programs such as Microsoft’s Internet Explorer or Mozilla’s Firefox.
“A weakness was discovered in the way that the Adobe Reader browser plug-in can be made to execute JavaScript code on the client side,” wrote Symantec researcher Hon Lau on his company’s Web log. “This stems from the ‘Open Parameters’ feature in Adobe Reader, which allows for parameters to be sent to the program when opening a PDF file. Like most things in life, this was a feature designed for benign usage, but unfortunately somebody has discovered that it can also be used for malicious purposes.”
Suspicious Links
The flaw exploits a technique called “universal cross-site scripting.” In Adobe’s case, a hacker could send a victim a link to a PDF document, even one located on a trusted or well-known Web site, and embed extra commands in the link’s syntax. The Acrobat plug-in would then execute those commands, giving the hacker access to the user’s computer.
Because Acrobat is a nearly universal application in both corporate and consumer worlds, Lau called the hack “breathtaking,” but offered a quick fix for Firefox users on his Symantec blog. Reports conflict as to whether the flaw affects Microsoft’s Internet Explorer and other Web browsers as well.
Lau also counseled readers to avoid e-mails or links…
