Pesky PDF problem panics punters (and OpenTom)

Don't click that PDF! IT Blogwatch explains: researchers found a nasty bug in Adobe Acrobat. Not to mention how to install your own software onto a TomTom GO satnav...

Jeremy Kirk clues us in:

Security researchers are poring over what one vendor has called a "breathtaking" weakness in the Web browser plug-in for Adobe Systems Inc.'s Acrobat Reader program used to open files in the popular Portable Document Format. The problem was first highlighted by researchers Stefano Di Paola and Giorgio Fedon, who presented a paper in Berlin last week on security issues related to Web 2.0 technologies such as AJAX (Asynchronous JavaScript and XML).

The Acrobat weakness involves a feature called "open parameters" in the Web browser plug-in for the Reader program. The plug-in allows arbitrary JavaScript code to run on the client side. The code could include a malicious attack on a computer, wrote Hon Lau on Symantec Corp.'s Security Response weblog.

Symantec's Hon Lau analyzes and explains:

Like most things in life, [the Open Parameters feature was] designed for benign usage, but unfortunately somebody has discovered that it can also be used for malicious purposes ... a significant problem relating to Adobe Acrobat files and Cross Site Scripting (XSS).
...
The ease in which this weakness can be exploited is breathtaking ... requires no exploitation of vulnerabilities on the server side ... anybody hosting a .pdf file, including well-trusted brands and names on the Web, could have their trust abused and become unwilling partners in crime ... Due to the power and flexibility of JavaScript, the attacker has a wide scope for inflicting damage.
...
If you are using Norton Confidential Online, you are automatically protected against the current exploitation methods utilized in this attack. For others, you can mitigate against attacks by implementing JavaScript filtering capabilities on corporate firewalls and intrusion detection systems, and by disabling Adobe Reader plugin capabilities in Web browsers. In addition, beware of people sending you links to .pdf files on the Web. Check the URL for any unusual text or parameters after the .pdf extension. This would apply to all the usual distribution channels such as email, instant messaging, Web browsing, and so on.
...
You can avoid this problem by implementing a work around in your browser so that it does not use the Acrobat Reader plugin.

RSnake has more:

It’s true ... PDF is vulnerable to XSS injection regardless if you have control over the PDF itself. Which means any website that has a PDF on it is now vulnerable to XSS injection.

The trick is simple:
    http://path/to/pdf/file.pdf#blah=javascript:alert("XSS");
...
This is a really nasty issue, as any automatic redirection or getting anyone to click on a link can now compromise that website if they have Adobe’s PDF reader installed (which practically everyone does). This is one of the worst issues I’ve seen in a while, as almost every major website has PDFs on it (investor relations, white papers, sales sheets, etc…). You might want to remove your PDFs for the time being, protect them or at minimum host them on a domain you don’t care about.

And later he adds:

I spent exactly 5 minutes looking at my machine before I found a default file that is included with Adobe Acrobat Reader 7.0 ... Great. So let’s see if it’s vulnerable to the XSS DOM injection:

    file:///C:/Program%20Files/Adobe/Acrobat%207.0/
            Resource/ENUtxt.pdf#blah=javascript:alert("XSS");

Hmmm… It would appear that Adobe Acrobat has now created a local JavaScript issue for Firefox and Opera users. I’m sure there are other default locations for other versions of Adobe Acrobat. Very scary stuff.

But Adobe's John Dowdell notices that the sky hasn't fallen:

This exploit was already addressed in the current Adobe Reader, and more current versions of the browsers ... Bottom line, if you're using current Reader or Firefox then you can auto-click links at dicey sites with less fear. It would have been good if we had some more time to handle all the back-versions and installers for locked intranets, though....

Ars' Matt Mondok confirms:

I was able to validate the proof of concept code with Adobe Reader versions 6 and 7; however, Adobe Reader 8 prevented the code execution and presented me with an "Operation Not Allowed" dialog box. The validation was done in both Opera 9.10 and Firefox 2.0.0.1. Internet Explorer's Adobe Reader ActiveX plugin is not susceptible to this problem.

Obviously, one way to protect your PC from this vulnerability is to upgrade to Adobe Reader 8.

pdp is depressed:

The only solution is to have Adobe release a patch as soon as possible ... but let’s be honest with each other, things won’t get better. It is not that Adobe don’t have good guys there or they are irresponsible, it is just the fact that not that many people update their PDF reader mainly because it usually requires a large chunk of data being downloaded and installed. The process is very slow and bulky and puts off every security enthusiast. I am not sure if Adobe has silent update for putting off fires like this one. Anyway, we will see this attack vector for a while in the wild.
...
Unwillingly we have become solicitors of a very dangerous craft.

Buffer overflow:

Around the Net

• Richi Jennings: Sender Authentication Doesn't Fix Challenge/Response
• Paul Roberts: Windows also target in month of Apple Bugs
• Living in This Monstrous Flesh: Our New Robot Overlords
• Schneier on Security: U.S. Government to Encrypt All Laptops
• IT Compliance: Insider Threat Example: Medco Employee Indicted for Planting Computer Logic Bomb
• F-Secure: How to locate new phishing sites
• StorageMojo: 2007 In Review: Time Machine Version
• DrunkenData: Waste Not, Want Not
• Stephen Wildstrom: Microsoft and Content Protection: Where's the Love?
• Paul McNamara: Microsoft laptop giveaway gets the Times treatment
• Good Morning Silicon Valley: Hurry! Only five more rumor-mongering days until Macworld!

Around Computerworld

• Angela Gunn: E-voting hits another wall
• Martin MC Brown: Cell processor programming
• Martin MC Brown: Is data sharing going to far?
• Martin MC Brown: Sun Ultra 20M2 performance
• Martin MC Brown: EnergyWatch: Appliances vs Gadgets
• Martin MC Brown: CPU Buyer's Guide
• Michael R. Farnum: One Laptop Per Child is a wonderful idea, but it's pretty dang scary, too
• Angela Gunn: Think pink
• Robert L. Mitchell: 2007: The year of the flash
• Michael R. Farnum: So many security issues, so little time...
• Martin MC Brown: Digital cost calculator
• Shark Tank: Details, details
• Martin McKeay: "If it's in the public domain, it's fair game"
• Douglas Schweitzer: Is a free computer from Microsoft/AMD bad business?

Previously in IT Blogwatch

• AT&T promises neutral tube series (and SfSS)
• Macworld predictions for next week (and Sydney snafu)
• Gates, Xbox, NSA, VMWare, Vista -- who gets the gold? (and the Xbox 360 tailgate party)
• Vista DRM Diatribe (and Cartman does Warcraft)
• Novell's Allison is Google's Allison (and the 50 best 'toons, evah)
• Older posts

And finally... OpenTom: Run your own software on a TomTom GO [hat tip: Hack A Day]

Richi Jennings is an independent technology and marketing consultant, specializing in email, blogging, Linux, and computer security. A 20 year, cross-functional IT veteran, he is also an analyst at Ferris Research. Contact Richi at blogwatch@richi.co.uk. Ketosis stinks.