Acrobat Reader plug-in vulnerable to attacks

Security researchers are poring over what one vendor has called a "breathtaking" weakness in the web browser plug-in for Adobe Systems Acrobat Reader program, used to open the popular PDF file format.

Share

Security researchers are poring over what one vendor has called a "breathtaking" weakness in the web browser plug-in for Adobe Systems Acrobat Reader program, used to open the popular PDF file format.

The problem was first highlighted by Stefano Di Paola and Giorgio Fedon, researchers who presented a
paper in Berlin last week on security issues related to Web 2.0 technologies such as AJAX (Asynchronous JavaScript and extensible markup language).

The Acrobat weakness involves a feature called "open parameters" in the web browser plug-in for Adobe's Reader program.

The plug-in allows arbitrary JavaScript code to run on the client side. The code could include a malicious attack on a computer, according to a post by Hon Lau on Symantec's Security Response Weblog today.

"The ease in which this weakness can be exploited is breathtaking," Lau wrote. "What this means in a nutshell is that anybody hosting a .pdf, including well-trusted brands and names on the web, could have their trust abused and become unwilling partners in crime."

Any website hosting a pdf file could be manipulated to run an exploit, Lau wrote. Because an exploit is relatively easy to craft, Lau predicted that attacks will be carried out until it is fixed.

In their research paper, Di Paola and Fedon wrote that the type of attack used to exploit the problem is called universal cross-site scripting, which uses a flaw in the browser rather than a vulnerability within a website. A cross-site scripting attack involves the unintended execution of code as part of a query string contained within a URL (uniform resource locator).

Another Symantec blogger, Zulfikar Ramzan, wrote that attackers could exploit a cross-scripting vulnerability by creating a special URL that points to the web page. In such a URL, attackers could include code to produce their own content -- such as a form soliciting passwords or credit card information -- that could be displayed on the targeted web page.

When victims clicked on the URL -- which, for example, could be included in a link enclosed in email -- they would be directed to the web page. If they filled in a form on the page, this could be passed to the attacker without the victim knowing the site had been tampered with, Ramzan wrote.

"The result is that the user is lulled into a false sense of security since he trusts the site and therefore trusts any transaction he has with it, even though in reality he is transacting with an attacker," Ramzan wrote.

An Adobe spokesman contacted in London on Wednesday afternoon could not immediately comment.

In highlighting the problem with the Reader plug-in, the researchers Di Paola and Fedon warned that Web 2.0 applications -- such as Google's Gmail and Google Maps, both of which employ AJAX -- would need to be more tightly tied to the security of web browsers.

Otherwise, the plethora of features in those applications "can be turned into weapons if controlled by a malicious hacker", they wrote.

Find your next job with computerworld UK jobs