AS ADOBE Corp. worked to produce a patch for flawed versions of its ubiquitous PDF reader, new details emerged about the severity of the flaw and how it can be used to compromise visitors to trusted websites.
CNET News.com reported Thursday that the PDF security risk was greater than originally thought. The online news site said Web security specialists at WhiteHat Security and SPI Dynamics had “discovered that miscreants could exploit the problem to access all information on a victim’s hard disk drive.”
Washington Post tech security writer Brian Krebs provided several scenarios for how the flaw could be exploited using Bank of America as an example. He said they showed “how dangerous this kind of vulnerability can be.”
Meanwhile, Adobe said in a security bulletin that it categorizes the flaw as an important issue that could “compromise data security, potentially allowing access to confidential data, or could compromise processing resources in a user’s computer.”
Internet Explorer and Firefox
The company said the following versions of its software were affected, although it “exploitability” depended on what browser people are using:
- Adobe Reader 7.0.8 and earlier versions
- Adobe Acrobat Standard, Professional and Elements 7.0.8 and earlier versions
- Adobe Acrobat 3D
The company urged Adobe Reader users to upgrade to version 8. People who cannot upgrade should wait for a patch, which Adobe said would be ready next week.
According to Symantec security researchers IE 6.0 on XP SP2 equipped with Adobe Reader 6, as well as IE 6 on XP SP1 running Reader 7, are vulnerable. Also at risk: Firefox 1.5, Firefox 2.0, and Opera 9.10 when running either Reader 6 or 7, reported TechWeb’s Gregg Keizer.
Issues for IR departments
A key problem is that many web users may not upgrade or know how to disable browser plug-ins, leaving them vulnerable. No information appears to have been provided on the possible number of users who may be affected.
The Adobe security advisory did not provide guidance to companies wishing to avoid their PDF files being used in attacks.
It was suggested earlier by security pros that companies may want to remove PDFs from their sites or otherwise protect them.
Since most public companies use PDF extensively on their corporate websites, especially for investor relations information, shareholders could be particularly vulnerable to hackers seeking to use the flaw.
The timing is worrying because it coincides with annual reporting season when investors may be expecting emails from companies and so will be more receptive to clicking on links to PDFs.
“It’s trivial to reproduce and customize public exploit code for this,” Ken Dunham, director of VeriSign iDefense’s rapid response team told Tech Web. “One of the main sites hosting code for this vulnerability has been hammered with traffic, showing great interest in this new exploit.”
If your company is implementing plans to mitigate against this threat, please share what you are doing in the comments below or email me confidentially.
Update: Ongoing technical discussion of this topic can be found here