PDF flaw has security experts agog

By Dominic Jones

SOME web security experts are advising companies to remove all PDF files from their websites immediately or take other precautions to prevent their website users becoming victims of hackers.

This comes after security researchers have found a weakness in Adobe’s Acrobat Reader program that allows an attacker to easily run rogue JavaScript on the victimized PC.

“The ease in which this weakness can be exploited is breathtaking,” writes Hon Lau on Symantec’s Security Response Weblog. “What this means in a nutshell is that anybody hosting a .pdf, including well-trusted brands and names on the Web, could have their trust abused and become unwilling partners in crime.”

Any Web site hosting a PDF file can be manipulated to run an exploit, Lau says.

In a warning to customers, Symantec’s DeepSight team said even if quickly patched by Adobe the flaw could lead to a flood of attacks.

“The amount of Internet-accessible PDF files is significant [and] the amount of Web browsers with Acrobat plug-in capabilities is also prevalent in the majority of systems,” the warning read.

One blogger on the ha.ckers.org site wrote: “This is one of the worst issues I’ve seen in a while, as almost every major website has PDFs on it (investor relations, white papers, sales sheets, etc…). You might want to remove your PDFs for the time being, protect them or at minimum host them on a domain you don’t care about.”

However, security firm Secunia rated the threat “less critical”. It said the vulnerability had been confirmed in Acrobat Reader versions below the latest version in versions of Internet Explorer and Firefox and possibly other browsers.

It advised web users to upgrade to Acrobat Reader version 8.0.0 and not to visit untrusted sites nor follow links from untrusted sources.

Additional information: Adobe Flaw Means Trusted PDFs May Be Treacherous , Acrobat hole open for exploit, Acrobat flaw could spawn Web attacks and Universal XSS with PDF files: highly dangerous on the Web Application Security Consortium message boards.

Adobe Update: John Dowdell, an Adobe employee who blogs, has been tracking the developments on this story very thoroughly, especially in the comments to his post. His blog has become something of a hub for information on this topic, which doesn’t say much about Adobe’s PR department. has posted a link in a comment below to a security note from Adobe.

Update: See our follow-on story PDF flaw fears grow, Adobe seeks fix

IR Web Report

IRWebReport.com was founded by Dominic Jones in February 2001 to promote best practices for online investor relations communications. In July 2010, the site had more monthly visitors than IR Magazine and IR Alert combined, according to Compete. We would like to thank our readers for their continued support and interest.