A security weakness in the ubiquitous Acrobat Reader software could be a boon for cybercrooks, security experts warned Wednesday.
An error in the Web browser plug-in of Adobe Systems' tool lets cybercrooks co-opt the address of any Web site that hosts an Adobe PDF file for use in attacks, Symantec and VeriSign iDefense said. An attacker could construct seemingly trusted links and add malicious JavaScript code that will run once the link is clicked, they said.
For example, an attacker could find a PDF file on a bank Web site and then create a hostile link to that file along with malicious JavaScript, Ken Dunham, director of the Rapid Response Team at VeriSign iDefense, said in a statement.
"This vulnerability makes it possible for cross-site-scripting (XSS) attacks to occur, to steal cookies, session information, or possibly create a XSS worm," he said. XSS attacks put online accounts at risk of hijack and feed information-thieving phishing scams by allowing miscreants to use seemingly trusted links to point to fraudulent Web sites.
The Adobe vulnerability could spark a rise XSS attacks, Symantec said. Such attacks in the past relied on flaws in Web sites, but with the Adobe Reader bug there is now a widely used client-side application that allows cross-site-scripting attacks, it said in an alert sent to users of its DeepSight security intelligence service.
"This development has the potential to significantly change the landscape of conventional cross-site-scripting attacks," Symantec warned. The security problem was disclosed at the Chaos Computer Club conference in Germany over the holidays in a paper by Stafano Di Paola and Giorgio Fedon (click for PDF).
To mitigate the new threat, users can upgrade to Adobe Reader 8, the latest version of the Adobe software released last month, the San Jose, Calif.-based company said in an e-mailed statement. "Adobe is also working on updates to previous versions that will resolve this issue," the company said.
Additionally, users can force PDF files to open in the Acrobat client, not the browser plug-in, Symantec said. VeriSign iDefense suggests removing file type actions within Firefox for PDF, XPDF, FDF and any extension associated with the Adobe Acrobat plug-in.
...they can trim a few pounds off this bloated piece of garbage they call software.
Used to really like Acrobat, but the last of versions have been terrible. When it doesn't crash, just opening a 89k pdf from the web results in IE ballooning to almost 100 Megs. Even worse, it then stays open in the background until you reboot the computer or kill the process.
Chinese authorities have reportedly taken iPads from a third-party retailer, a move apparently brought on by Apple's continued refusal to honor a trademark for the iPad name owned by a Chinese manufacturer.
NY professor believes that a word-based algorithm can help bring together those who believe, with one glimpse, that they have found and lost the love of their lives.
Along with green-lighting Google's buy of Motorola, the Justice Department today OKs an Apple-Microsoft-RIM partnership deal to buy Nortel patents, and Apple's plan to acquire Novell patents.
Chamtech's spray-on antenna uses a nano material to provide a low-power boost to antenna range. The wireless-in-a-can product may some day bring an end to unsightly cell towers.
This week, we pass around Sony's new PlayStation Vita for some hands-on testing, check out HP's newest Beats Audio laptop, and debate the best and worst Valentine's Day gadget gifts.
EnerG2 opens a plant to make an engineered carbon that will improve performance of energy storage devices and make storage for start-stop hybrid cars less expensive.
Used to really like Acrobat, but the last of versions have been terrible. When it doesn't crash, just opening a 89k pdf from the web results in IE ballooning to almost 100 Megs. Even worse, it then stays open in the background until you reboot the computer or kill the process.
Time for Adobe to do something about it.