Severity: Medium
3 January, 2007
Summary:
Today, a security researcher released an advisory describing several previously unknown vulnerabilities in Adobe Reader 7.0.x (and all earlier versions). By enticing one of your users into clicking a specially crafted Web link, an attacker can exploit the worst of these flaws to execute arbitrary JavaScript on your user’s computer. The malicious JavaScript could potentially inherit the privileges of a trusted Web site, allowing a wide range of attacks such as stealing your user’s Web cookies or tricking your user into divulging login credentials. The impact of the attack depends in part on what Web browser the victim uses; Firefox users are at greatest risk. If you use Adobe Reader in your network, you should download, test, and deploy version 8 as soon as possible.
Exposure:
In an advisory released today, Stefano Di Paola described several vulnerabilities in Adobe Reader 7.0.x (and all earlier versions). Adobe Reader ships with a plugin that allow you to view Web-based PDF documents from inside your Web browser. According to Di Paola, this plugin suffers from four new security vulnerabilities that can allow attackers to crash your browser, forge sensitive Web requests in your name, run arbitrary JavaScript in the context of a site you trust, or even gain complete control of your machine. We describe the two most critical of these vulnerabilities below:
- Universal Cross-Site Scripting Vulnerability in Adobe Reader browser plugin. A Cross-Site Scripting (XSS) vulnerability is a flaw in a Web site that allows an attacker to execute code on your computer with the same trust (privileges and permissions) you have given that Web site. (For more on XSS flaws in general, see the LiveSecurity article, “Anatomy of a Cross-Site Scripting Attack.”) A Universal Cross-Site Scripting (UXSS) vulnerability is essentially the same thing, except the flaw lies within a client application, such as a Web browser or browser plugin, rather than in the targeted Web site. UXSS vulnerabilities potentially pose much larger threats than XSS since they could affect a client visiting any Web site, rather than just one specific flawed Web site.
Unfortunately, Adobe Reader’s browser plugin suffers from a dangerous UXSS vulnerability. If an attacker can entice one of your users to click a specially crafted link that points to a PDF file on a Web site, the attacker could execute arbitrary JavaScript on that user’s computer with the same privilege and trust as the targeted Web site. For instance, the attacker might craft a malicious link to a PDF file residing on the Web site you use for online banking. If you click that link, the attacker’s malicious JavaScript could pop up a login window that appeared to come from your online banking site. If you entered your login credentials, the attacker could then capture them, and later use them to access your bank account.
Fortunately, Di Paola has only figured out how to exploit this particular flaw when using Firefox as the Web browser. If you use Internet Explorer (IE), this flaw is more likely to crash IE than allow code execution. However, Di Paola has figured out an alternate attack scenario involving this vulnerability in conjunction with IE. This alternate attack could allow internal attackers to steal victim’s credentials. The hacking communities we follow online are very enthused about this new attack vector and have proposed theoretical ways it could be exploited to reveal information such as every Web site the victim has visited or every Google search the victim has performed. In short, the impact of this vulnerability is going to worsen. Regardless of which browser you use, you should patch this vulnerability.
- Remote Code Execution in Adobe Reader browser plugin. Di Paola’s advisory also warns of a very complex memory corruption vulnerability in the Adobe Reader plugin, called a doublefree() vulnerability. By enticing one of your users to a specially crafted link pointing to a PDF file, an attacker could exploit this flaw to execute code on that user’s computer with that user’s privileges. If your Windows users have local administrative privileges, the attacker could exploit this flaw to gain complete control of their machines. However, Di Paola and his partner could only exploit this particular issue against Firefox users with the Adobe Reader plugin.
Solution Path
Adobe Reader 8 includes a fixed version of the vulnerable browser plugin. We recommend you download, test, and deploy version 8 as soon as possible, regardless of which operating system you use.
In the meantime, Firefox users can disable the browser plugin until they apply Adobe’s update. Keep in mind, disabling this plugin will prevent both legitimate and malicious PDF files from displaying within Firefox (you will have to download and open them instead). Refer to the bottom of this Symantec blog entry for instructions on how to disable Reader within Firefox. Furthermore, you can disable JavaScript in any Web browser to further reduce the damage an attacker could cause by exploiting these vulnerabilities.
