• About
  • Contacts
IR Web Report
  • Latest Posts
  • Categories
    • Web Disclosure
    • Annual Reports
    • Quarterly Reporting
    • Presentations
    • Social Media
    • IR Law
    • Governance
    • Shareholder Services
    • Video
    • Mobile
Browse: Home / PDF flaw fears grow, Adobe seeks fix


PDF flaw fears grow, Adobe seeks fix

By Dominic Jones on January 5, 2007

  • Tweet

AS ADOBE Corp. worked to produce a patch for flawed versions of its ubiquitous PDF reader, new details emerged about the severity of the flaw and how it can be used to compromise visitors to trusted websites.

CNET News.com reported Thursday that the PDF security risk was greater than originally thought. The online news site said Web security specialists at WhiteHat Security and SPI Dynamics had “discovered that miscreants could exploit the problem to access all information on a victim’s hard disk drive.”

Washington Post tech security writer Brian Krebs provided several scenarios for how the flaw could be exploited using Bank of America as an example. He said they showed “how dangerous this kind of vulnerability can be.”

Meanwhile, Adobe said in a security bulletin that it categorizes the flaw as an important issue that could “compromise data security, potentially allowing access to confidential data, or could compromise processing resources in a user’s computer.”

Internet Explorer and Firefox

The company said the following versions of its software were affected, although it “exploitability” depended on what browser people are using:

  • Adobe Reader 7.0.8 and earlier versions
  • Adobe Acrobat Standard, Professional and Elements 7.0.8 and earlier versions
  • Adobe Acrobat 3D

The company urged Adobe Reader users to upgrade to version 8. People who cannot upgrade should wait for a patch, which Adobe said would be ready next week.

According to Symantec security researchers IE 6.0 on XP SP2 equipped with Adobe Reader 6, as well as IE 6 on XP SP1 running Reader 7, are vulnerable. Also at risk: Firefox 1.5, Firefox 2.0, and Opera 9.10 when running either Reader 6 or 7, reported TechWeb’s Gregg Keizer.

Issues for IR departments

A key problem is that many web users may not upgrade or know how to disable browser plug-ins, leaving them vulnerable. No information appears to have been provided on the possible number of users who may be affected.

The Adobe security advisory did not provide guidance to companies wishing to avoid their PDF files being used in attacks.

It was suggested earlier by security pros that companies may want to remove PDFs from their sites or otherwise protect them.

Since most public companies use PDF extensively on their corporate websites, especially for investor relations information, shareholders could be particularly vulnerable to hackers seeking to use the flaw.

The timing is worrying because it coincides with annual reporting season when investors may be expecting emails from companies and so will be more receptive to clicking on links to PDFs.

“It’s trivial to reproduce and customize public exploit code for this,” Ken Dunham, director of VeriSign iDefense’s rapid response team told Tech Web. “One of the main sites hosting code for this vulnerability has been hammered with traffic, showing great interest in this new exploit.”

If your company is implementing plans to mitigate against this threat, please share what you are doing in the comments below or email me confidentially.

Update: Ongoing technical discussion of this topic can be found here


Dominic Jones

Dominic Jones (bio) created IR Web Report in 2001. He is a consultant to leading public companies and investor relations service providers worldwide. You can contact him via the contacts page.

Posted in IR News | Tagged Acrobat, Adobe, corporate websites, Internet Explorer, PDF

« Previous Next »

Search the Site

Latest Stories

  • Survey finds social media gap between investors, companies
  • SEC’s social media guidance has devil in details
  • Crisis investor relations in the age of social media
  • Private meetings undermine fair disclosure, study finds
  • What makes a good annual report?
  • CEO pushes Reg FD limits on Twitter
  • For IROs, XBRL errors a wake-up call

Get Our Free Email Newsletter

Close
Note: We don't sell or rent our email list. Unsubscribe instructions come with each email.

Full Disclosure

All articles on IR Web Report are unpaid editorial. We do not charge a fee to outside contributors. Sponsors or advertisers are not automatically entitled to become contributors or receive editorial coverage. We accept contributors based on their individual expertise and experience. Contributors are required to disclose when they write about or refer to any company with which they have a business relationship, either directly or indirectly. If you believe that any contributor or IR Web Report is not living up this policy, please contact us or leave a comment on the relevant post. Editorial integrity is important to us and we take all complaints seriously.

Site Map

  • Home
  • Terms of Use
  • IR News
  • About
  • Contacts

Archives

  • 2013
  • 2011
  • 2010
  • 2009
  • 2008
  • 2007
  • 2006
  • 2005
  • 2004
  • 2003
  • 2002
  • 2001

About IR Web Report

Founded in 2001, we are the world's leading source of information about online investor relations communications. Our core philosophy is that investors' needs must come first or companies' online communications efforts will fail to be effective. More about us

Follow @irwebreport
Feed Subscribe to feed

Copyright © 2001 - 2018 IR Web Reporting International Inc. By using this site you agree to the Terms of Use and our Privacy & Cookie Use Policy.