January 4, 2007 7:25 PM PST
PDF security risk greater than originally thought
Initially, security professionals thought that the problem was restricted and exposed only Web-related data or could support phishing scams. Now it has been discovered that miscreants could exploit the problem to access all information on a victim's hard disk drive, said Web security specialists at WhiteHat Security and SPI Dynamics.
For an attack to work, a malicious link has to point to an existing PDF file on the Web or on the target system. PDFs are abundant on the Net and finding one on a local system also isn't hard, a sample PDF file comes with Acrobat Reader and is installed in a predictable location on PCs, Grossman said.
The security problem was first disclosed at the Chaos Computer Club conference in Germany over the holidays in a paper by Stafano Di Paola and Giorgio Fedon. The extended scope of the issue was publicized late Wednesday by a hacker using the moniker "RSnake."
Adobe is aware of the claims that an attack could have broader implications, but had not verified the issue, a company representative said in a statement e-mailed Thursday.
"Based upon info we have, Flash Player, Reader and modern browsers should restrict such an exploit, but we haven't completed our evaluation of all possible scenarios," the representative said.
To mitigate the threat, Adobe says people can upgrade to Adobe Reader 8, the latest version of the Adobe software released last month. Adobe is also working on updates to previous versions that will resolve this issue, the company has said.