By Dominic Jones
AS ADOBE Corp. worked to produce a patch for flawed versions of its ubiquitous PDF reader, new details emerged about the severity of the flaw and how it can be used to compromise visitors to trusted websites.
CNET News.com reported Thursday that the PDF security risk was greater than originally thought. The online news site said Web security specialists at WhiteHat Security and SPI Dynamics had “discovered that miscreants could exploit the problem to access all information on a victim’s hard disk drive.”
Washington Post tech security writer Brian Krebs provided several scenarios for how the flaw could be exploited using Bank of America as an example. He said they showed “how dangerous this kind of vulnerability can be.”
Meanwhile, Adobe said in a security bulletin that it categorizes the flaw as an important issue that could “compromise data security, potentially allowing access to confidential data, or could compromise processing resources in a user’s computer.”
Internet Explorer and Firefox
The company said the following versions of its software were affected, although it “exploitability” depended on what browser people are using:
- Adobe Reader 7.0.8 and earlier versions
- Adobe Acrobat Standard, Professional and Elements 7.0.8 and earlier versions
- Adobe Acrobat 3D
The company urged Adobe Reader users to upgrade to version 8. People who cannot upgrade should wait for a patch, which Adobe said would be ready next week.
According to Symantec security researchers IE 6.0 on XP SP2 equipped with Adobe Reader 6, as well as IE 6 on XP SP1 running Reader 7, are vulnerable. Also at risk: Firefox 1.5, Firefox 2.0, and Opera 9.10 when running either Reader 6 or 7, reported TechWeb’s Gregg Keizer.
Issues for IR departments
A key problem is that many web users may not upgrade or know how to disable browser plug-ins, leaving them vulnerable. No information appears to have been provided on the possible number of users who may be affected.
The Adobe security advisory did not provide guidance to companies wishing to avoid their PDF files being used in attacks.
It was suggested earlier by security pros that companies may want to remove PDFs from their sites or otherwise protect them.
Since most public companies use PDF extensively on their corporate websites, especially for investor relations information, shareholders could be particularly vulnerable to hackers seeking to use the flaw.
The timing is worrying because it coincides with annual reporting season when investors may be expecting emails from companies and so will be more receptive to clicking on links to PDFs.
“It’s trivial to reproduce and customize public exploit code for this,” Ken Dunham, director of VeriSign iDefense’s rapid response team told Tech Web. “One of the main sites hosting code for this vulnerability has been hammered with traffic, showing great interest in this new exploit.”
If your company is implementing plans to mitigate against this threat, please share what you are doing in the comments below or email me confidentially.
Update: Ongoing technical discussion of this topic can be found here
We decided to send out a notice to people on our email list. We told them to be careful about clicking on links to any PDF files sent to them via email or posted on stock message boards.
It was a difficult thing to explain. We couldn’t find many resources that explained the problem in simple terms non-technical people can understand. We eventually used the Washington Post article mentioned in your article above.
We stressed in our email that it was safe for people to visit our website and then open PDF files, but not to follow direct links to our PDFs on other sites or in emails. We also urged them to upgrade their readers.
We debated whether we should do anything. Eventually we decided that it was a service to our shareholders and analysts and it could protect us from negative publicity or worse. It was a win-win.
Thanks for bringing this to our attention. Your site has been a valuable to us.
Alice,
That’s a great idea, much better than trying to remove all your PDF files! I’ve had a few people ask me if they should remove their PDFs, and it’s obviously an option but not a very practical one, so what your company has done is probably the next best thing.
I’ve also heard from a couple people who feel this is a big deal about nothing. I don’t know about that.
The latest headline I saw on this from TechWeb paints a grave picture:
Adobe Flaw May Be ‘Worst’ Bug Of 2007
“The vulnerability is very pervasive as it lowers the hackability bar from the target Web site needing to have an XSS issue to simply hosting a PDF,” Grossman says. “This has the potential to be the number one worst vulnerability of 2007. Had this come out two weeks ago, it would have definitely made the top 10 list for 2006.”
I applaud you for doing something rather than nothing, and I’m sure your shareholders will remember that you thought of them.
We’re forcing the PDF to download – that appears to bypass the plugin completely. This is how we’re fixing it.
[...] Update: See our follow-on story PDF flaw fears grow, Adobe seeks fix [...]