Adobe PDF flaw allows PC access, experts warn
Last Updated: Friday, January 5, 2007 | 11:19 AM ET
CBC News
Related
A vulnerability in Adobe Systems Inc.'s Acrobat Reader software is more dangerous than originally thought, allowing cyber-intruders to access information to a user's hard drive, according to security experts.
Security officials warned Wednesday that a flaw in earlier versions of Acrobat Reader could allow online thieves and hackers to steal web-related information from users who posted portable document format — or PDF — files on their website.
But security experts on Thursday said the vulnerability could also affect a personal computer by linking directly to PDF files found on a victim's PC.
Acrobat's inclusion of sample PDF's in predictable places on the hard drive makes such files easier to find, warns Websense Security Labs.
"Because known PDF files are stored on the local computer, this vulnerability can be used to execute JavaScript in the context of the local user, granting access to the local file system," Websense Security Labs said in a release on Thursday.
Adobe issued it own advisory, encouraging customers using older versions of the software to upgrade to Acrobat Reader 8. The company will be offering patches early next week to users with systems unable to upgrade to the latest version.
The flaw is exploitable in all versions of Mozilla Firefox running versions of Acrobat Reader earlier than 8. It also appears to affect Microsoft's Internet Explorer running some but not all earlier versions of Reader.
The vulnerability, first discovered at a hacker conference in Germany over the holidays, takes advantage of a plug-in allowing JavaScript code appended to links to PDF files to run when the link is clicked.
Attackers could create a hostile website linking to another site's PDF. When the link is clicked, a malicious JavaScript program is also activated and runs on the system hosting the PDF.
If the host of the PDF is a website, it would allow the hacker to steal cookies and other web-related information from the site. Should the host of the PDF file be a personal computer, the malicious program would allow much greater access to personal information.
"Given that it is easy to exploit, I would expect that we will see this method used considerably in the coming days and weeks, until it is resolved," a researcher from Symantec Corp. said in a posting on the California-based company's web log.
Share Tools
Top News Headlines
- Greece passes new austerity deal amid rioting
- Greek lawmakers have approved harsh new austerity measures demanded by bailout creditors to save the debt-crippled nation from bankruptcy, after riots in Athens and other cities left stores looted and burned and more than 120 people hurt. more »
- Quebec town 'heartbroken' after killing of woman, sisters
- A small Quebec town is in mourning Sunday after a Quebec man was charged with killing his nieces and his mother, who were found dead in their family home. more »
- Hit and run victim's family fears accused will walk
- The family of a young mother killed in a hit and run is outraged that the case against the alleged driver is among thousands in B.C. at risk of being thrown out because of a huge court backlog. more »
- Neil Macdonald: The death penalty debate America isn't having
- Texas's death row archive is a troubling document, not the least for what it doesn't say about those who may be wrongfully convicted, Neil Macdonald writes. more »
Latest Technology & Science News Headlines
- Ancient Antarctic lake may harbour microbial life
- If scientists find microbes in a frigid lake 3.2 kilometres beneath the thick ice of Antarctica, it will illustrate once again that somehow life finds a way to survive in the strangest and harshest places, and it will offer hope that life exists beyond Earth. more »
- B.C. killer whale habitat protection ruled a legal duty
- The federal minister of fisheries has no discretion when it comes to protecting the critical habitat of B.C.'s southern resident killer whales, the Federal Court of Appeal has ruled. more »
- Create-your-own-app product to launch in Moncton
- A Moncton entrepreneur is hoping to revolutionize the way mobile applications are created by launching a new product that allows people to develop their own app within minutes. more »
- Game developer seeks $400K, makes $1M in a day
- Videogame studio Double Fine went on the website Kickstarter to raise $400K US in a month to develop a new game. They reached that target in a matter of hours. more »
Bob McDonald's Blog
Glacier Discovery Walk: Will the visitor centre enhance the view? Feb. 10, 2012 3:17 PM Environment minister Peter Kent has announced the construction of a new Glacier Discovery Walk and visitor centre on the Icefields Parkway in Jasper National Park. It raises the issue of how to balance commercial development in our National Parks against the preservation of the last refuges of wilderness.
Quirks & Quarks
- February 11: Inside the Mind of a Neandertal Feb. 10, 2012 4:01 PM Can we get inside the mind of a species that's been dead for 30,000 years? A new book, How to Think Like a Neanderthal, suggests we can. The authors reconstruct a creature like us in many ways, but with important differences.
Latest Features
- Adele wins best album, best record Grammys
- Houston autopsy results withheld by police
- Quebec town 'heartbroken' after killing of woman, sisters
- Northern lights viewed from space
- Greece passes new austerity deal amid rioting
- Pop queen Whitney Houston dies at 48
- Manitoba man dies after falling off moving SUV
- Doors blocked in fatal Manitoba trailer blaze
- Former Stanley Park petting zoo goats feared slaughtered
