Adobe: Users should upgrade Reader, Acrobat to mitigate vulnerability

Computerworld - Adobe Systems Inc. is urging users to update to the latest versions of Adobe Reader and Acrobat to avoid being affected by a recently discovered cross-site scripting flaw in its software that allows attackers to run malicious JavaScript on a user's PC.

The discovery of the flaw has caused considerable industry concern because of the ease with which it can be exploited and because any Web site hosting PDF files could be used to conduct an attack.

In an e-mailed comment, an Adobe spokesman said yesterday that the company is aware of a flaw in 7.0.8 and earlier versions of Adobe Reader and Acrobat that allows "remote attackers to inject arbitrary JavaScript into a browser session. This is not a vulnerability in PDF. Specifically, this issue could occur when a user clicks on a malicious link to a PDF on the Web."

The vulnerability, rated as "important'' by Adobe, cannot be exploited to "execute native code or erase hard drives" on a victim's PC, said Pam Deziel, director of the company's platform business unit. "There are some straightforward ways to mitigate this risk."

Upgrading to Adobe Reader 8 and Acrobat 8 "addresses the issue immediately" she said. "For Acrobat and Reader customers who wish to stay with their current version, they can use their browser preferences to disable the Reader plug-in from opening within the browser."

Adobe will soon publish additional details on the vulnerability, together with specifics on the affected browsers and mitigation measures, the spokesman said without offering details. The information will be available at www.adobe.com/support/security. The company will also release patches next week for fixing the flaws in the affected versions of Adobe Reader and Acrobat, the spokesman said.

Adobe's moves come amid considerable industry concern over the seriousness of a vulnerability in an Adobe Reader feature called Open Parameters, which allows for additional commands to be sent to the program when opening a PDF file. The feature allows users "to open a PDF file using a URL or a command that specifies both the file to be opened, plus actions to be performed once the file is opened," according to an Adobe description.

But Adobe's apparent failure to properly validate the kind of actions that can be performed once the file is opened gives attackers a way to run malicious JavaScript on a user's browser, according to security analysts.

One example is that of an attacker creating a hostile Web site with a link to PDF file on a bank's Web site, said Ken Dunham, director of VeriSign Inc.'s iDefense rapid response team in Reston, Va. The link could contain malicious commands that are executed when it is clicked and the PDF file is opened in a browser, he said.