Acrobat Reader flaw opens websites to XSS attacks

Share this article:

Security experts warned Wednesday of a vulnerability in Adobe Acrobat Reader plug-in that makes PDF-friendly websites susceptible to cross-site scripting (XSS) attacks, worms, and theft of cookies and session information.

Initially disclosed by two security researchers, Stefano Di Paola and Giorgio Fedon, at the 23rd Chaos Communication Congress in Berlin last week, the vulnerability occurs in the Open Parameters feature in Adobe Acrobat Reader.

The function gives web developers the ability to pass parameters when a user opens a PDF file, but it also opens up the ability to execute JavaScript code on the client side, warned researcher Hon Lau on a Symantec blog.

"All the attacker has to do is find out who is hosting a PDF file on their web server and then piggyback on it to mount an attack," he said. "What this means in a nutshell is that anybody hosting a PDF, including well-trusted brands and names on the web, could have their trust abused and become unwilling partners in crime."

Researchers with Secunia rated the threat as "less critical" and recommended upgrading to Acrobat Reader 8.0 to fix the problem, but other experts said the threat is more pressing.

Researchers at Symantec and VeriSign iDefense warned that the vulnerability poses considerable risk because of widespread use of PDF browser plug-ins within most web sites.

"PDF files are trusted and very popular, making any significant PDF vulnerability a cause for concern," said Ken Dunham, director of the iDefense Rapid Response Team, in an Wednesday advisory.

The vulnerability affects all versions of Firefox and Internet Explorer (IE) 6.0 with Service Pack 1 and earlier.

Dunham suggested users disable Adobe plug-in and JavaScript within Firefox and fully patch IE to mitigate the threat.

Click here to email West Coast Bureau Chief Ericka Chickowski.

Share this article:

Sign up to our newsletters

More in News

Brazilian president signs internet 'Bill of Rights' into law

Brazilian president signs internet 'Bill of Rights' into ...

President Dilma Rousseff signed the legislation on Wednesday at the NetMundial conference in Sao Paulo.

Android trojan sends premium SMS messages, targets U.S. users for first time

Android trojan sends premium SMS messages, targets U.S. ...

An SMS trojan for Android, known as FakeInst, has been observed sending premium SMS messages to users all over the world, including, for the first time, the United States.

Report: DDoS up in Q4 2013, vulnerability scanners leveraged to exploit sites

Report: DDoS up in Q4 2013, vulnerability scanners ...

Researchers observed 346 DDoS attacks in the final quarter of 2013 and attackers used Vega and Skipfish vulnerability scanners to exploit web flaws at financial companies.