Exploit Surfaces in Web Browser PDF Plug-Ins

Several security firms have found a vulnerability in the Adobe Reader that is surprisingly easy to initiate and also very dangerous.

The problem involves passing input from a URL to a hosted PDF file. The data is not properly cleaned by the browser’s PDF reader plug-in before being returned to users, so any data can be passed through. This can be exploited to execute arbitrary script code in a user’s browser.

iDefense president Ken Dunham provided a simple proof of concept, simply by tacking a little text on to the end of the link with a PDF file.

For example, the link:


Would open a PDF file in the browser, and a pop-up box would appear on the user’s screen with an alert that reads “123.”

Because it initiates a JavaScript script on the client, there is tremendous potential for dangerous activity, such as stealing cookie information or cross-site scripting.

Adobe  said in a statement sent to internetnews.com that it is aware of the vulnerability “that could potentially affect previous versions of Adobe Reader.”

Adobe further noted the potential vulnerability does not effect the current, version 8, of Adobe Reader, which it encouraged users to download. “Adobe is also working on updates to
previous versions that will resolve this issue,” the company said.

Further details on this vulnerability will be published by Adobe here.

The exploit effects all versions of Firefox and Internet Explorer up to version 6.0, Service Pack 1, according to Dunham. His firm confirmed the findings, first reported by Security researchers Stefano Di Paolo and Giorgio Fedon last week at a conference in Berlin.

iDefense wasn’t the only firm to validate Di Paolo and Fedon’s findings, as security firm Secunia also posted an alert, as did SANS Institute

The problem is fixed in Adobe Acrobat 8, the latest version of the reader. internetnews.com was also able to confirm that the exploit does not affect Foxit Reader, a small, lightweight PDF reader and alternative to the Adobe Reader.

Scripts can be fairly powerful and the creativity of the attacker will determine what the payloads will be. Dunham said some proof of concept exploits have already shown up on the Internet.

Since clicking on a link could execute the script, one solution could be to right click on links to PDF files and save them locally, rather than running them inside the browser. Dunham said that is one way to avoid it but it’s not a total fix.

“You could be surfing a site with obfuscated links, so when you click on it, it actually initiates a PDF link with the script instead. So there are all kinds of tricks people could do here,” he said.

News Around the Web