A recently discovered vulnerability in Adobe's Acrobat Reader is more dangerous than first thought, security experts have warned.
Detected earlier this week, the flaw in the Adobe web browser plug-in allows malicious users to construct the address of any site that hosts an Adobe PDF file and use it in hacking attacks. An attacker could construct seemingly trusted links and add malicious JavaScript code that will run once the link is clicked, experts said.
However, researchers now say that cybercriminals could exploit the vulnerability to steal information directly from the user's hard drive.
"This means any JavaScript can access the user's local machine," Billy Hoffman, lead engineer at SPI Dynamics, said in a statement. "Depending on the browser, this means the JavaScript can read the user's files, delete them, execute programs, send the contents to the attacker, etc. This is much worse than an attack in the remote zone."
According to Adobe, this vulnerability does not affect Acrobat 8 or Adobe Reader 8. The PDF giant vowed to release patches next week for previous versions.
"Adobe is aware of a recent cross-site scripting vulnerability in versions 7.0.8 and earlier of Adobe Reader and Adobe Acrobat that could allow remote attackers to inject arbitrary JavaScript into a browser session," an Adobe spokesperson said in a statement. "This is not a vulnerability in PDF. Specifically, this issue could occur when a user clicks on a malicious link to a PDF on the web."
Jeremiah Grossman, CTO of WhiteHat Security, said this week that if the flaw had been discovered earlier, it would have made his 2006 top 10 list. The vulnerability has a good chance at becoming 2007's most dangerous flaw, he said.
Asked how long it would take for an attacker to create an exploit for the flaw, Grossman replied, "Five minutes or less - It's not only really bad, it's really easy."
"XSS is normally a server-side issue. In this case, it's not; it's a website issue. So the fix has to be the on the client right now, since the servers are not able to fix this."
Ken Dunham, director of the Rapid Response Team at VeriSign iDefense, said today that his firm has determined Internet Explorer with Adobe Acrobat versions 7 and 8 are not vulnerable, as is the case with Firefox with Acrobat 8.
Dunham pointed out that while the possibility of cross-site scripting does exist, "it remains unproven, undeveloped and relatively unlikely at this time."
"While concern is high, due to the widespread use of Adobe products, the impact of this threat is somewhat limited at this time," he said. "Exploitation of this vulnerability is trivial. Instead of clicking on a link to get a PDF file, you get more than you bargained for, execution of hidden JavaScript statements."
Click here to email Online Editor Frank Washkuch Jr.