Computer security researchers have discovered a vulnerability in Adobe system Inc’s ubiquitous Acrobat Reader software that allows cyber intruders to attack PCs through rusted Web links. The flaw appears to target Microsoft Corp’s Internet Explorer 6.0 Web browser and earlier versions and Mozilla’s Firefox browser.

Virtually any Web site hosting Portable Document Format (PDF) files are vulnerable to attack, according to researchers from Symantec Corp and VeriSign Inc’s iDefense Intelligence.

The attacks could range from stealing cookies that track a user’s web browsing history to the creation of harmful worms, they said. The flaw exists in a plug-in that enables Acrobat users to view PDF files within Web browsers. By manipulating the Web links to those documents, hackers and online thieves are able to commandeer the Acrobat software and run malicious code when users attempt to open the files, according to Ken Dunham, director of the rapid response team at iDefense Intelligence.

Dunham gave his hypothetical scenario: An attacker finds a PDF file on a banking Web site. The attacker creates a hostile Web site that links to the bank’s PDF file. Included is malicious JavaScript code that will run on the unsuspecting user’s computer once the link is clicked. “PDF is trusted, tried and true – everyone uses it,” Dunham said. “But instead of just viewing the file, you’ve initiated script that shouldn’t be executed. All you have to do is click on the PDF and the ball starts rolling.”

In response to this finding, Adobe Systems has announced that it will issue patches next week for older versions of its Reader and Acrobat Reader software to update to the latest versions of Adobe Reader and Acrobat to avoid being affected by this cross-site scripting flaw in its software that allows attackers to run malicious JavaScript on a user’s PC.

Adobe System is seriously looking into this issue. Since the problem affects versions 7.0.8 and earlier of the Acrobat and Reader programs, Adobe is urging users of those versions to disable the Acrobat and Reader plug-in in their Web browser until the patches are issued. Adobe has also been encouraging customers to upgrade to Reader 8 , the latest version of its program, which is not affected by the vulnerability.

Adobe is also warning users to exercise caution when clicking on untrusted links, since those links could be manipulated to run an exploit. Security vendor Websense Inc. wrote on Thursday that an attacker could also gain access to files on a machine.

Exploits will apparently only work with certain combinations of Web browsers and Adobe software, but Adobe did not specify which combinations.

Related Posts