CRITICAL CYBER ALERT: ADOBE READER

refer questions to: netwatchman.ed@gmail.com

January 4, 2007
‘Breathtaking’ hole in Adobe Reader plugin
Security threat to websites hosting PDFs

IF YOU USE ACROBAT READER UPDATE TO V. 8.0 NOW!!

Security threats Toolkit

A security weakness in the ubiquitous Acrobat Reader software could be a boon for cybercrooks, security experts warned on Wednesday.

An error in the web browser plug-in of Adobe Systems' tool lets cybercrooks co-opt the address of any website that hosts an Adobe PDF file for use in attacks, Symantec and VeriSign iDefense said. An attacker could construct seemingly trusted links and add malicious JavaScript code that will run once the link is clicked, they said.

For example, an attacker could find a PDF file on a bank website and then create a hostile link to that file along with malicious JavaScript, Ken Dunham, director of the Rapid Response Team at VeriSign iDefense, said in a statement.

"This vulnerability makes it possible for cross-site-scripting (XSS) attacks to occur, to steal cookies, session information, or possibly create a XSS worm," he said. XSS attacks put online accounts at risk of hijack and feed information-thieving phishing scams by allowing miscreants to use seemingly trusted links to point to fraudulent websites.

The Adobe vulnerability could spark a rise XSS attacks, Symantec said. Such attacks in the past relied on flaws in websites, but with the Adobe Reader bug there is now a widely used client-side application that allows cross-site-scripting attacks, it said in an alert sent to users of its DeepSight security intelligence service.

"This development has the potential to significantly change the landscape of conventional cross-site-scripting attacks," Symantec warned. The security problem was disclosed at the Chaos Computer Club conference in Germany over the holidays in a paper by Stafano Di Paola and Giorgio Fedon.

To mitigate the new threat, users can upgrade to Adobe Reader 8, the latest version of the Adobe software released last month, the San Jose, California-based company said in an emailed statement. "Adobe is also working on updates to previous versions that will resolve this issue," the company said.

Additionally, users can force PDF files to open in the Acrobat client, not the browser plug-in, Symantec said. VeriSign iDefense suggests removing file type actions within Firefox for PDF, XPDF, FDF and any extension associated with the Adobe Acrobat plug-in.

Adobe Reader Flaw Uncovered By Researchers
By Kevin McLaughlin, CRN4:52 PM EST Wed. Jan. 03, 2007

Security researchers have discovered a cross-site scripting (XSS) vulnerability affecting the widely used Adobe Acrobat Reader software that could make it easy for attackers to launch malicious code.

The flaw, revealed by security researchers Stefano Di Paola and Giorgio Fedon last week at the Chaos Communications Congress hacker convention in Berlin, could allow attackers to manipulate the Adobe Reader browser plug-in to execute arbitrary JavaScript on the client side simply by adding code to the URL of an online PDF file and getting users to click on the link.

The XSS vulnerability is made possible by the Open Parameters feature in Adobe Reader, which makes it possible to open a PDF file using a URL and specify which content to show and how to display it.

In a Wednesday advisory sent to its Deepsight threat management customers, Symantec warned that because Open Parameters exists in most Adobe Reader applications and browser plug-ins, the flaw could lead to a wave of XSS attacks against client-side targets.

"We may be seeing one of the first significant developments where cross-site scripting attacks are delivered to the client side with extremely high target-to-compromise ratios," according to the Deepsight advisory.

Attackers also could leverage the XSS vulnerability to steal cookie-based authentication credentials and launch additional attacks, Symantec noted.

The flaw is easy to exploit because attackers don't need write access to a PDF document and can add malicious JavaScript to any PDF file link found online, according to a post on the SANS Internet Storm Center blog.

Adobe Systems couldn't be reached for comment.

The vulnerability affects Adobe Reader version 6.0.1 for Windows using Internet Explorer 6 and version 7.0.8 for Windows using Firefox 2.0.0.1, but Adobe has fixed the problem in version 8 of the Reader software.

Security firm Secunia, which recommended upgrading to Adobe Reader 8.0 to fix the problem, didn't see the threat as serious, giving it a rating of "less critical," or 2 on a 5-point scale. Symantec Deepsight rated the severity of the flaw as 6.1 on a 10-point scale.

News

Acrobat Reader flaw opens many websites to XSS attacks

Headlines

Ericka Chickowski Jan 4 2007 06:08

Security experts warned users Wednesday of a vulnerability in Adobe Acrobat Reader plug-in that makes websites that use PDFs susceptible to cross-site scripting (XSS) attacks and worms, as well as putting users at risk of theft of cookies and session information.

Initially disclosed by two security researchers, Stefano Di Paola and Giorgio Fedon, at the 23rd Chaos Communication Congress in Berlin last week, the vulnerability occurs in the Open Parameters feature in Acrobat Reader.

The function gives web developers the ability to pass parameters when a user opens a PDF file, but it also opens up the ability to execute JavaScript code on the client side, warned Symantec's Hon Lau on the company's blog.

"All the attacker has to do is find out who is hosting a PDF file on their Web server and then piggyback on it to mount an attack," Lau wrote. "What this means in a nutshell is that anybody hosting a PDF, including well-trusted brands and names on the Web, could have their trust abused and become unwilling partners in crime."

Researchers with Secunia only rated the threat as "less critical" and recommended upgrading to Acrobat Reader 8.0 to fix the problem, but other experts feel the threat is more pressing. Researchers at Symantec and VeriSign's iDefense warned customers that the vulnerability poses considerable risk due to the widespread use of and PDF browser plug-ins within most web sites.

"PDF files are trusted and very popular, making any significant PDF vulnerability a cause for concern," wrote Ken Dunham, director of the rapid response team at iDefense in an advisory sent on Wednesday.

The vulnerability affects all versions of FireFox and Internet Explorer (IE)6.0 SP1 and earlier versions.

Adobe Flaw Means Trusted PDFs May Be Treacherous
By Gregg Keizer,
Adobe's Reader browser plug-in has a significant flaw that can be exploited by attackers to snatch control of a PC from users running Firefox and Opera browsers, Symantec reported Wednesday.

According to Symantec, which issued a lengthy alert to customers of its DeepSight threat network early in the day, any Adobe PDF (Portable Document Format) file on the Internet could be used by hackers to run rogue JavaScript on the victimized PC.

"A weakness was discovered in the way that the Adobe Reader browser plug-in can be made to execute JavaScript code on the client side," said Symantec researcher Hon Lau on the company's security blog. The vulnerability stems from Adobe Reader's "Open Parameters" feature that lets developers pass parameters when opening a PDF file.

"Any Web site that hosts a PDF file can be used to conduct this attack," Lau continued. "All the attacker has to do is find out who is hosting a PDF file on their Web server and then piggyback on it to mount an attack. What this means in a nutshell is that anybody hosting a PDF, including well-trusted brands and names on the Web, could have their trust abused and become unwilling partners in crime."

Symantec's DeepSight team expressed worries that the flaw, even if quickly patched by Adobe, would lead to a flood of similar attacks. "The amount of Internet-accessible PDF files is significant [and] the amount of Web browsers with Acrobat plug-in capabilities is also prevalent in the majority of systems," the warning read. "This issue has the potential to redefine the conventional cross-site scripting paradigm we are used to.

"Even if the specific design flaw is quickly patched by Adobe we now know that 'universal' client based XSS vulnerabilities pose a real threat, and that the defensive modifications we must make in order to remediate them will a be significant undertaking."

Cross-site scripting vulnerabilities -- "XSS" for short -- are flaws that trick a user's browser into executing untrusted code, usually with the aim of hijacking the system or stealing passwords. Previously, XSS exploits have been limited to Web servers; in other words, the user has to be duped into visiting a malicious Web site.

In effect, said Symantec, the Adobe flaw proves that so-called "Universal XSS" vulnerabilities are possible. The term 'Universal' notes that a bug allows JavaScript to execute in a user's browser without the usual server-side XSS exploit code. "Since most XSS vectors to this point have been reliant on server side vulnerabilities, thus capping their ability to impact wide swaths of Internet users, this development has the potential to significantly change the landscape of conventional cross-site scripting attacks," the DeepSight analysis said.

Symantec referenced a recent paper presented by a pair of researchers -- Stefano Di Paola of the University of Florence (Italy) and Giorgio Fedon, a security consultant at Milan, Italy-based Emaze Networks. S.p.A. -- who originally disclosed the Reader plug-in problem.

"The ease in which this weakness can be exploited is breathtaking," said Symantec's Lau. The exploit could be delivered as a link within e-mail or instant messages, posted on blogs or forums, or as the DeepSight team warned, piggybacked on PDFs from normally-trusted sites.

After an initial analysis, Symantec said that the Adobe Reader XSS flaw works when Mozilla's Firefox 1.5 and Opera 9.10 browsers are used to view a malicious link, but that Microsoft's Internet Explorer 6 and IE 7 will both generate a JavaScript error when trying to open a PDF. Firefox 2.0, the most current version of the Mozilla open-source browser, also returns an error dialog, which reads "This operation is not allowed."

To deter such attacks, Symantec recommended that enterprises filter JavaScript at the firewall, and that all users consider disabling the Acrobat Reader plug-in within their browser. Inside Firefox 1.5, the latter can be accomplished by selecting ToolsOptionsDownloads and clicking the "View & Edit Actions" button. In the resulting dialog, choose "PDF" and click "Change Action." Pick "Open them with the default application option," click "OK" and "Close" and "OK."

Adobe was not available for comment, and had not posted any information on the plug-in's XSS vulnerability on its support site or to its message forum.

Thursday 04 Jan 2007 - 09:21

Security researchers are poring over what one vendor has called a "breathtaking" weakness in the Web browser plugin for Adobe's Acrobat Reader program, used to open the popular ".pdf" file format.

The problem was first highlighted by Stefano Di Paola and Giorgio Fedon, researchers who presented a paper in Berlin last week on security issues related to Web 2.0 technologies such as AJAX (Asynchronous JavaScript and extensible markup language).

The Acrobat weakness involves a feature called "open parameters" in the Web browser plug-in for Adobe's Reader program.

The plug-in allows arbitrary JavaScript code to run on the client side. The code could include a malicious attack on a computer, wrote Hon Lau on Symantec's Security Response Weblog on Wednesday.

"The ease in which this weakness can be exploited is breathtaking," Lau wrote. "What this means in a nutshell is that anybody hosting a .pdf, including well-trusted brands and names on the Web, could have their trust abused and become unwilling partners in crime."

Any Web site hosting a .pdf file could be manipulated to run an exploit, Lau wrote. Because an exploit is relatively easy to craft, Lau predicted attacks will start until it is fixed.

In their research paper, Di Paola and Fedon wrote that the type of attack used to exploit the problem is called universal cross-site scripting, which uses a flaw in the browser rather than a vulnerability within a Web site. A cross-site scripting attack involves the unintended execution of code as part of a query string contained within a URL (uniform resource locator).

Another Symantec blogger, Zulfikar Ramzan, wrote that attackers can exploit a cross-scripting vulnerability by creating a special URL that points to the Web page. In that URL, the attacker would code it to include some of his own content - such as a form soliciting passwords or credit-card information - that would be displayed on the targeted Web page.

When victims click on the URL - which, for example, could be included in a link enclosed in email - they would be directed to the Web page. If they fill out information on a form on the page, it could be passed to the attacker without the victim knowing the site had been tampered with, Ramzan wrote.

"The result is that the user is lulled into a false sense of security since he trusts the site and therefore trusts any transaction he has with it, even though in reality he is transacting with an attacker," Ramzan wrote.

An Adobe spokesman contacted in London on Wednesday afternoon could not immediately comment.

In highlighting the problem with the Reader plug-in, the researchers Di Paola and Fedon warned that Web 2.0 applications - such as Google's Gmail and Google Maps, both of which employ AJAX - will need to be more tightly tied to the security of Web browsers.

Otherwise, the plethora of features in those applications "can be turned into weapons if controlled by a malicious hacker," they wrote.

Jeremy Kirk
January 3, 2007 Exploit Surfaces in Web Browser PDF Plug-Ins By Andy Patrizio
Several security firms have found a vulnerability in the Adobe Reader that is surprisingly easy to initiate and also very dangerous.

The problem involves passing input from a URL to a hosted PDF file. The data is not properly cleaned by the browser's PDF reader plug-in before being returned to users, so any data can be passed through. This can be exploited to execute arbitrary script code in a user's browser.

iDefense president Ken Dunham provided a simple proof of concept, simply by tacking a little text on to the end of the link with a PDF file.

For example, the link:

"http://[URL]/[FILENAME].pdf#something=javascript:alert(123);"

Would open a PDF file in the browser, and a pop-up box would appear on the user's screen with an alert that reads "123."

Because it initiates a JavaScript script on the client, there is tremendous potential for dangerous activity, such as stealing cookie information or cross-site scripting.

Adobe (Quote) said in a statement sent to internetnews.com that it is aware of the vulnerability "that could potentially affect previous versions of Adobe Reader." Adobe further noted the potential vulnerability does not effect the current, version 8, of Adobe Reader, which it encouraged users to download. "Adobe is also working on updates to previous versions that will resolve this issue," the company said. Further details on this vulnerability will be published by Adobe here.

The exploit effects all versions of Firefox and Internet Explorer up to version 6.0, Service Pack 1, according to Dunham. His firm confirmed the findings, first reported by Security researchers Stefano Di Paolo and Giorgio Fedon last week at a conference in Berlin.

iDefense wasn't the only firm to validate Di Paolo and Fedon's findings, as security firm Secunia also posted an alert, as did SANS Institute

The problem is fixed in Adobe Acrobat 8, the latest version of the reader. internetnews.com was also able to confirm that the exploit does not affect Foxit Reader, a small, lightweight PDF reader and alternative to the Adobe Reader.

Scripts can be fairly powerful and the creativity of the attacker will determine what the payloads will be. Dunham said some proof of concept exploits have already shown up on the Internet.

Since clicking on a link could execute the script, one solution could be to right click on links to PDF files and save them locally, rather than running them inside the browser. Dunham said that is one way to avoid it but it's not a total fix.

"You could be surfing a site with obfuscated links, so when you click on it, it actually initiates a PDF link with the script instead. So there are all kinds of tricks people could do here," he said.

THE TECHWEB BLOG

Traitorous, Treacherous PDFs Part II

More news on the Adobe Reader plug-in bug, the day's biggest security story from my chair.

I wrote the story so far just before noon PST, and since then more security researchers have chimed in with their take. Some of it's contradictory, so bear with me.

(For the background, check out the morning copy posted here. I'll be here when you get back...)

Right.

VeriSign iDefense's Ken Dunham, for example, said this afternoon that his team had done some testing and confirmed that there was "a trivial exploit...in the public illustrating how easy it is to execute JavaScript of choice for cross-site scripting [XSS] attacks.

"By creating a hostile website with a fake command and arbitrary scripts following it, an attacker forces execution of the script. For example, an attacker could find a PDF on a banking site and then create a hostile website linking to the bank PDF file along with arbitrary scripts following the command. When a user clicks on the hostile link the arbitrary code is executed:"

Swiss security consultant and blogger Sven Vetsch posted a sample of just that kind of exploit: a PDF from

Bank of America

Click on the link...if you're using a vulnerable browser with a vulnerable version of the Reader plug-in, you'll see an alert labeled '123'.

Here's where the afternoon's details become muddy. Dunham said that IE 6.0 SP1 and earlier and all versions of Firefox were vulnerable.

Earlier today, however, Symantec's warnings said that Firefox 1.5 and Opera 9.10 were at risk, but not IE 6. And when I tried several sample exploits out from within Firefox 2.0.0.1, I received an error that said "

And Adobe, in a late-day statement, claimed that Reader 8, the newest update, was not affected by the XSS bug. "We encourage all users to update to this latest version of Adobe Reader," a spokesman wrote in an e-mail just before 5:00 p.m. PST. (Reader 8 can be found here.)

To clear the confusion, Symantec posted a follow-up warning to its DeepSight customers that included a Vulnerable/Not Vulnerable matrix. I haven't been able to verify it with people from Symantec's Security Response team, but the researchers claim to have confirmed this through testing.

Vulnerable:
Firefox 1.5 with Reader 7
Firefox 2.x with Reader 7
Firefox 1.5 on XP SP2, Reader 6
Firefox 2.x on Ubuntu Linux, Reader 7.0.8
Firefox 2.0 with Reader 7 on W2K SP4
IE 6.0 on XP SP2, Reader 6
IE 6 on XP SP1 with Acrobat 7
Opera 9.10 with Reader 7
Opera 9.0 on XP SP2 Reader 7

Not Vulnerable:
Firefox 2.0 with Reader 8 (on W2K SP4)
IE6 with Reader 7 (on W2K SP4)
IE 6 with Reader 8 (on W2K SP4)
Safari on PPC Mac with Reader 7
Safari on PPC Mac with Reader 8
Safari on OS X Intel with Reader 8

I'd also add IE 7 with Reader 8 (on XP SP2) to the Not Vulnerable list; I've tried every exploit I could find and IE 7 sailed through like a champ. (It may balk when equipped with Reader 7 or earlier, however; Adobe's not produced a list of what combinations of browser and Reader are threatened, and which are not.)

A stopgap fix for Reader 7 and earlier -- Adobe said it was working on updates to those editions -- is to disable the browser's ability to render a PDF within the application's own frame. In other words, force it to open all PDF in Adobe Reader itself, rather than utilize the plug-in.

Here are the steps for Firefox 1.5

-- Select ToolsOptionsDownloads-- Clicking the "View & Edit Actions" button-- Choose "PDF" and click "Change Action"-- Pick "Open them with the default application option"-- Click "OK" and "Close" and "OK"

In Firefox 2.0, it's almost the same.

-- Select ToolsOptionsContent-- Click "Manage" under the "File types" section-- Choose "PDF" and click "Change Action"-- Pick "Open them with the default application option"-- Click "OK" and "Close" and "OK"

In fact, I recommend this even if you're using a protected edition of Reader since in my experience, PDFs render much faster -- and without crashing Firefox -- in the Reader application instead of inside the browser.

Stay tuned on this...I'm sure there will be more tomorrow.
Posted by Gregg Keizer on January 3, 2007