Multiple flaws found in Adobe Reader

A feature called Open Parameters within older versions of the Adobe Reader browser plug-in can be corrupted with malicious content, two researchers say.

In a conference paper titled "Subverting Ajax", security researchers Stafano Di Paola and Giorgio Fedon identified multiple cross-site scripting (XSS) vulnerabilities. One flaw in particular, the open parameters vulnerability, is quite easy to execute on vulnerable versions of Adobe Reader, they said.

For example, a malicious attack can be carried out by referencing any Web-based PDF file and supplying potentially malicious JavaScript code as an open parameter to any Web-based PDF file--for example, http://www.(domain name).com/file.pdf#whatever_name_you_want=javascript:your_code_here

The researchers said they contacted Adobe Systems in October with their findings and only recently made their work public.

Adobe has since released version 8 of Adobe Reader which no longer allows appended JavaScript within site URLs. However, many users continue to use older versions of the Adobe Reader plug-in and should update this as soon as possible.

Quick facts:

Name: Adobe Reader Open Parameters XSS
Date first reported: 1/3/07
Vulnerable software: Adobe Reader plug-in versions 6 and 7 for Mozilla Firefox, Opera and Microsoft Internet Explorer.
What it does: Could allow denial of service (crash), remote access and execution of malicious code.
Recommendations: Upgrade to Adobe Reader 8
Exploit code available: Yes
Vendor patch available: Yes
Advisory: Wise Security

Robert Vamosi writes for CNET Reviews.

 

ARTICLE DISCUSSION

Conversation powered by Livefyre

Don't Miss
Hot Products
Trending on CNET

Hot on CNET

CNET's giving away a 3D printer

Enter for a chance to win* the Makerbot Replicator 3D Printer and all the supplies you need to get started.