Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.
Security Response

When PDFs Attack!

Created: 03 Jan 2007 08:00:00 GMT • Updated: 23 Jan 2014 18:53:50 GMT
Hon Lau's picture
0 0 Votes
Login to vote

We have received reports of a significantproblem relating to Adobe Acrobat files and Cross Site Scripting (XSS).A weakness was discovered in the way that the Adobe Reader browserplugin can be made to execute JavaScript code on the client side. Thisstems from the “Open Parameters” feature in Adobe Reader, which allowsfor parameters to be sent to the program when opening a .pdf file. Likemost things in life, this was a feature designed for benign usage, butunfortunately somebody has discovered that it can also be used formalicious purposes.

This development is significant for a number of reasons:
• The ease in which this weakness can be exploited is breathtaking. Useof this “feature” requires no exploitation of vulnerabilities on theserver side.
• Any Web site that hosts a .pdf file can be used to conduct thisattack. All the attacker has to do is find out who is hosting a .pdffile on their Web server and then piggy back on it to mount an attack.What this means, in a nutshell, is that anybody hosting a .pdf file,including well-trusted brands and names on the Web, could have theirtrust abused and become unwilling partners in crime.
• Due to the power and flexibility of JavaScript, the attacker has a wide scope for inflicting damage.

This problem appears to be limited to the Firefox browser, which hasa relatively large user base. Given that it is easy to exploit, I wouldexpect that we will see this method used considerably in the comingdays and weeks, until it is resolved. If you are using NortonConfidential, you are automatically protected against the currentexploitation methods utilized in this attack. For others, you canmitigate against attacks by implementing JavaScript filteringcapabilities on corporate firewalls and intrusion detection systems,and by disabling Adobe Reader plugin capabilities in Web browsers. Inaddition, beware of people sending you links to .pdf files on the Web.Check the URL for any unusual text or parameters after the .pdfextension. This would apply to all the usual distribution channels suchas email, instant messaging, Web browsing, and so on.

For more information about Cross Site Scripting, you can read Zulfikar’s blog entry about the topic of Phishing and XSS from July of last year.

UPDATE

For more information about this vulnerability, please read Adobe's advisory at http://www.adobe.com/support/security/advisories/apsa07-01.html

UPDATE

You can mitigate this problem by upgrading to Adobe Reader 8.

Alternatively, you can implement a workaround in your browser sothat it does not use the Acrobat Reader plugin. The followinginstructions apply to the Firefox browser:
• In the Tools menu, select Options.
• Select Downloads in the Options dialog.
• Click on the View & Edit Actions button.
• In the Download Actions dialog, choose the action for the PDF extension or the Adobe Acrobat Document file type and then click on Change Action.

• In the Change Action dialog, choose the Open them with the default application option.

• Click on OK, Close and OK to close out of the Options dialog.

UPDATE

Subsequent testing has shown that systems running Internet Explorer6 and Adobe Reader 7 on Windows XP SP1, and systems with InternetExplorer 6 and Adobe Reader 4 on Windows XP SP2 are also vulnerable tothe attack.