PDF security risk greater than originally thought

A recently discovered security weakness in the widely used Acrobat Reader software could put Net users at more risk than previously thought, experts warned Thursday.

Initially, security professionals thought that the problem was restricted and exposed only Web-related data or could support phishing scams. Now it has been discovered that miscreants could exploit the problem to access all information on a victim's hard disk drive, said Web security specialists at WhiteHat Security and SPI Dynamics.

Key to increased access is where hostile links point. When the issue was first discovered, experts warned of links with malicious JavaScript to PDF files hosted on Web sites. While risky, this actually limits the attacker's access to a PC. It has now been discovered that those limits can be removed by directing a malicious link to a PDF file on a victim's PC.

"This means any JavaScript can access the user's local machine," Billy Hoffman, lead engineer at SPI Dynamics, said in an e-mailed statement. "Depending on the browser, this means the JavaScript can read the user's files, delete them, execute programs, send the contents to the attacker, et cetera. This is much worse than an attack in the remote zone."

For an attack to work, a malicious link has to point to an existing PDF file on the Web or on the target system. PDFs are abundant on the Net and finding one on a local system also isn't hard, a sample PDF file comes with Acrobat Reader and is installed in a predictable location on PCs, Grossman said.

News source: CNET

Report a problem with article
Previous Story

Vista testers get unexpected holiday gift: No TV

Next Story

TVU Player 2.3.2 Beta 10

6 Comments

Commenting is disabled on this article.

So basically all this means is that people who never do updates will be subject to holes in their crusty software. So it's not really news per say...

Aero Ultimate said,
+2

Who's stupid enough to use that bloated Adobe crap gets what (s)he deserves :P

I think that (MS haters ++ Apple fanboys) are. They use closed PDF format because it's not from MS. And they use Adobe products because Adobe is close to Apple.

There is no such thing as Acrobat Reader, it was renamed a while ago.
Like I said before, Adobe Reader 8 is unaffected so this really isn't a big deal.