• About
  • Contacts
IR Web Report
  • Latest Posts
  • Categories
    • Web Disclosure
    • Annual Reports
    • Quarterly Reporting
    • Presentations
    • Social Media
    • IR Law
    • Governance
    • Shareholder Services
    • Video
    • Mobile
Browse: Home / PDF flaw has security experts agog


PDF flaw has security experts agog

By Dominic Jones on January 3, 2007

  • Tweet

SOME web security experts are advising companies to remove all PDF files from their websites immediately or take other precautions to prevent their website users becoming victims of hackers.

This comes after security researchers have found a weakness in Adobe’s Acrobat Reader program that allows an attacker to easily run rogue JavaScript on the victimized PC.

“The ease in which this weakness can be exploited is breathtaking,” writes Hon Lau on Symantec’s Security Response Weblog. “What this means in a nutshell is that anybody hosting a .pdf, including well-trusted brands and names on the Web, could have their trust abused and become unwilling partners in crime.”

Any Web site hosting a PDF file can be manipulated to run an exploit, Lau says.

In a warning to customers, Symantec’s DeepSight team said even if quickly patched by Adobe the flaw could lead to a flood of attacks.

“The amount of Internet-accessible PDF files is significant [and] the amount of Web browsers with Acrobat plug-in capabilities is also prevalent in the majority of systems,” the warning read.

One blogger on the ha.ckers.org site wrote: “This is one of the worst issues I’ve seen in a while, as almost every major website has PDFs on it (investor relations, white papers, sales sheets, etc…). You might want to remove your PDFs for the time being, protect them or at minimum host them on a domain you don’t care about.”

However, security firm Secunia rated the threat “less critical”. It said the vulnerability had been confirmed in Acrobat Reader versions below the latest version in versions of Internet Explorer and Firefox and possibly other browsers.

It advised web users to upgrade to Acrobat Reader version 8.0.0 and not to visit untrusted sites nor follow links from untrusted sources.

Additional information: Adobe Flaw Means Trusted PDFs May Be Treacherous , Acrobat hole open for exploit, Acrobat flaw could spawn Web attacks and Universal XSS with PDF files: highly dangerous on the Web Application Security Consortium message boards.

Adobe Update: John Dowdell, an Adobe employee who blogs, has been tracking the developments on this story very thoroughly, especially in the comments to his post. His blog has become something of a hub for information on this topic, which doesn’t say much about Adobe’s PR department. has posted a link in a comment below to a security note from Adobe.

Update: See our follow-on story PDF flaw fears grow, Adobe seeks fix


Dominic Jones

Dominic Jones (bio) created IR Web Report in 2001. He is a consultant to leading public companies and investor relations service providers worldwide. You can contact him via the contacts page.

Posted in IR News | Tagged Acrobat, Adobe, Internet Explorer, JavaScript, PDF

« Previous Next »

Search the Site

Latest Stories

  • Survey finds social media gap between investors, companies
  • SEC’s social media guidance has devil in details
  • Crisis investor relations in the age of social media
  • Private meetings undermine fair disclosure, study finds
  • What makes a good annual report?
  • CEO pushes Reg FD limits on Twitter
  • For IROs, XBRL errors a wake-up call

Get Our Free Email Newsletter

Close
Note: We don't sell or rent our email list. Unsubscribe instructions come with each email.

Full Disclosure

All articles on IR Web Report are unpaid editorial. We do not charge a fee to outside contributors. Sponsors or advertisers are not automatically entitled to become contributors or receive editorial coverage. We accept contributors based on their individual expertise and experience. Contributors are required to disclose when they write about or refer to any company with which they have a business relationship, either directly or indirectly. If you believe that any contributor or IR Web Report is not living up this policy, please contact us or leave a comment on the relevant post. Editorial integrity is important to us and we take all complaints seriously.

Site Map

  • Home
  • Terms of Use
  • IR News
  • About
  • Contacts

Archives

  • 2013
  • 2011
  • 2010
  • 2009
  • 2008
  • 2007
  • 2006
  • 2005
  • 2004
  • 2003
  • 2002
  • 2001

About IR Web Report

Founded in 2001, we are the world's leading source of information about online investor relations communications. Our core philosophy is that investors' needs must come first or companies' online communications efforts will fail to be effective. More about us

Follow @irwebreport
Feed Subscribe to feed

Copyright © 2001 - 2018 IR Web Reporting International Inc. By using this site you agree to the Terms of Use and our Privacy & Cookie Use Policy.