Devastating PDF Vulnerability Puts Web At Risk

Web Security : Devastating PDF Vulnerability Puts Web At Risk

Posted by Max on 2007/1/11 8:27:51 (1389 reads)

There are reports of a major problem concerning Adobe Acrobat files and Cross Site Scripting (XSS). A flaw was revealed in the way that the Adobe Reader browser plugin can be made to execute JavaScript code on the client side.This development is significant for a number of reasons:

This stems from the “Open Parameters” feature in Adobe Reader, which allows for parameters to be sent to the program when opening a .pdf file. Like most things in life, this was a feature designed for benevolent usage, but sadly somebody has discovered that it can also be used for malicious purposes.

This development is significant for a number of reasons:
1. The ease in which this weakness can be exploited is breathtaking. Use of this “feature” requires no exploitation of vulnerabilities on the server side.

2. Any Web site that hosts a .pdf file can be used to carry out this attack. All the attacker has to do is find out who is hosting a .pdf file on their Web server and then piggy back on it to mount an attack. What this means, in a nutshell, is that anybody hosting a .pdf file, including well-trusted brands and names on the Web, could have their trust abused and become unwilling partners in crime.

3. Due to the power and flexibility of JavaScript, the attacker has a wide scope for inflicting damage.

Here are the technical details of this vulnerability:
http://www.wisec.it/vulns.php?page=9

Previous article - Next article

Other articles
2008/10/9 14:10:42 - Google Trends Used to Promote Fake Anti-Virus Software
2008/10/9 13:50:47 - Spam, Child Porn, Illegal Pharmaceuticals, and Stolen Data Make The Web Axis of Evil
2008/10/8 12:22:22 - New Anti-Phishing Service by BluePrint On National Cyber Security Awareness Month
2008/10/7 16:17:07 - Adware Released As Fake Antivirus Increases
2008/10/2 15:30:28 - Agnitum's Outpost Security Suite Pro Gains Another VB100% (on Windows Server 2008)
2008/10/2 15:21:49 - New FREE Security Tools From Verizon
2008/9/30 17:45:27 - SkyRecon Adds Anti-Virus Protection (AVP) to Its StormShield Security Suite
2008/9/30 17:32:11 - IdentitySecure, The New Identity Theft Protection Program from Affinion
2008/9/30 17:13:08 - Web Application Security Mythbusters by Cenzic Inc.
2008/9/30 17:03:58 - Disk Doctors Announces Support For The Hurricane IKE and Gustav victims

The comments are owned by the poster. We aren't responsible for their content.