Acrobat flaw opens door to attack
-
Acrobat flaw opens door to attack
Joris Evers CNET News.com
Published: 04 Jan 2007 08:29 GMT
A security weakness in the ubiquitous Acrobat Reader software could be a boon for cybercrooks, security experts warned on Wednesday.
An error in the web browser plug-in of Adobe Systems' tool lets cybercrooks co-opt the address of any website that hosts an Adobe PDF file for use in attacks, Symantec and VeriSign iDefense said. An attacker could construct seemingly trusted links and add malicious JavaScript code that will run once the link is clicked, they said.
For example, an attacker could find a PDF file on a bank website and then create a hostile link to that file along with malicious JavaScript, Ken Dunham, director of the Rapid Response Team at VeriSign iDefense, said in a statement.
"This vulnerability makes it possible for cross-site-scripting (XSS) attacks to occur, to steal cookies, session information, or possibly create a XSS worm," he said. XSS attacks put online accounts at risk of hijack and feed information-thieving phishing scams by allowing miscreants to use seemingly trusted links to point to fraudulent websites.
The Adobe vulnerability could spark a rise XSS attacks, Symantec said. Such attacks in the past relied on flaws in websites, but with the Adobe Reader bug there is now a widely used client-side application that allows cross-site-scripting attacks, it said in an alert sent to users of its DeepSight security intelligence service.
"This development has the potential to significantly change the landscape of conventional cross-site-scripting attacks," Symantec warned. The security problem was disclosed at the Chaos Computer Club conference in Germany over the holidays in a paper by Stafano Di Paola and Giorgio Fedon.
To mitigate the new threat, users can upgrade to Adobe Reader 8, the latest version of the Adobe software released last month, the San Jose, California-based company said in an emailed statement. "Adobe is also working on updates to previous versions that will resolve this issue," the company said.
Additionally, users can force PDF files to open in the Acrobat client, not the browser plug-in, Symantec said. VeriSign iDefense suggests removing file type actions within Firefox for PDF, XPDF, FDF and any extension associated with the Adobe Acrobat plug-in.
too long and too chim, just post so that anyone who is interested can read.
-
Guys, do yourself a favour and use Foxit pdf reader. Adobe Acrobat reader is unnecessarily large and resource-intensive. Foxit reader comes in a small d/l (about 1.5mb) and it is very very fast. You can even type directly onto the pdf document. Best of all it is free.
http://www.foxitsoftware.com/pdf/rd_intro.php
Adobe has clearly lost it. Without a serious competitor, it has become complacent and is putting out crap. So do yourself a favour and use foxit. -
can someone gimme the link to the original site? so i can show my colleagues in IT
-
http://news.zdnet.co.uk/security/0,1000000189,39285324,00.htmOriginally posted by shinta:can someone gimme the link to the original site? so i can show my colleagues in IT -
Thanks for the input.Originally posted by scabstermooch:Guys, do yourself a favour and use Foxit pdf reader. Adobe Acrobat reader is unnecessarily large and resource-intensive. Foxit reader comes in a small d/l (about 1.5mb) and it is very very fast. You can even type directly onto the pdf document. Best of all it is free.
http://www.foxitsoftware.com/pdf/rd_intro.php
Adobe has clearly lost it. Without a serious competitor, it has become complacent and is putting out crap. So do yourself a favour and use foxit.
Appreciate
-
sankyu!Originally posted by nightzip: -
No problem. I cannot stand pdfs normally as they are a pain to navigate and use esp if your browser decides to open it within the browser window. Foxit has removed my doubts about pdf documents so I am always quick to recommend it!Originally posted by M©+square:Thanks for the input.
Appreciate
Edit: According to foxit's page, adobe reader is a 20mb download! is that true? Why on earth would an application be as large as 20mb when all it has to do is to read pdf documents? AFAIK, it doesn't allow you to type directly onto pdf documents too.
The mind boggles when one thinks about what exactly Adobe Acrobat Reader is secretly doing to your computer. -
XSS is now a hot topic in phishing scams. Although I'm unsure whether someone has really used the XSS exploit, I'm pretty sure it won't be long before this becomes a fact.
By the way, uninstall Acrobat Reader and use Foxit Reader. This will force all PDF documents to be saved, not viewed via browser. -
So big?Originally posted by scabstermooch:No problem. I cannot stand pdfs normally as they are a pain to navigate and use esp if your browser decides to open it within the browser window. Foxit has removed my doubts about pdf documents so I am always quick to recommend it!
Edit: According to foxit's page, adobe reader is a 20mb download! is that true? Why on earth would an application be as large as 20mb when all it has to do is to read pdf documents? AFAIK, it doesn't allow you to type directly onto pdf documents too.
The mind boggles when one thinks about what exactly Adobe Acrobat Reader is secretly doing to your computer.
I remembered it as around 2MB. Did you download the Professional version, which bundled other products? Professional version allows the conversion to PDF... -
yup, professional version versus the pure reader...
the reader is smaller but can only read, cannot convert excel, word, etc files to pdf.
so far have not problems about it yet... -
I just checked. It really is 20 MB.Originally posted by nightzip:yup, professional version versus the pure reader...
the reader is smaller but can only read, cannot convert excel, word, etc files to pdf.
so far have not problems about it yet...
Feckin' hell. I cannot believe it.
http://www.adobe.com/products/acrobat/readstep2.html
-
Man, 20MB!
You go with Foxit Reader better. It's only 2MB.
-
inefficient programming?
20mb?