Network Security & Hardware - eWeek


Is the Smart Grid a Dumb Idea?
Surgical Adhesive Offers Smarter Way to Mend Bones
Get Smarter Technology on Your Mobile!
  Network Security & Hardware


Adobe Patches PDF Reader, ColdFusion Flaws



 By: Matt Hines
2007-01-10
Article Rating:starstarstarstarstar / 0


There are 0 user comments on this Network Security & Hardware story.


Rate This Article:
Poor Best
The desktop publishing software maker issues a pair of fixes for previously reported cross-site scripting flaws in older versions of its PDF reader, and also patches a newly discovered problem in its ColdFusion applications development program.

Desktop publishing software vendor Adobe released a trio of security patches on Jan. 9, two of which are aimed at fixing a cross-site scripting issue lingering in earlier versions of its Reader and Acrobat products, with the third targeting a new vulnerability identified in its ColdFusion development platform.

The San Jose, Calif.-based company issued two separate bulletins meant to address the XSS flaw present in its Reader and Acrobat applications, including a server-side workaround that promises to prevent exploitation of the problem in versions 7.0.8 and earlier of the two programs.

Adobe has already patched the vulnerability in its latest iteration of the products, specifically Adobe Reader 8.

The second of the XSS patches promises to directly close-off the same problem in Adobe Reader 7.0.8 and earlier versions, as well as Acrobat Standard, Professional and Elements 7.0.8 and earlier versions, and the companys Acrobat 3D software.

Resource Library:

Among the security researchers who first identified the XSS issue were workers on the U.S. governments computer emergency response team, or CERT, who said that the vulnerability in Adobes widely-used Acrobat plug-in could allow hackers to exploit any Web site that hosts a PDF file to launch code execution or denial-of-service attacks.

According to the company, the software glitch occurs because the Acrobat plug-in fails to properly validate URI (Uniform Resource Identifier) parameters for scripting code, allowing user-supplied scripts to execute within the context of the Web site hosting a PDF (portable document format) file. According to an advisory issued by the U.S. CERT, an attack that takes advantage of the vulnerability could be launched via Microsofts Internet Explorer or Firefox browsers.

XSS is a form of attack through which a hacker injects malicious code into a URL that appears to be maintained by a legitimate source, most commonly a business. When users click on a link to the infected URL, the malware code is executed on their computer, with most of the programs designed to steal valuable user information. Among the most popular targets used to deliver XSS attacks are major consumer e-commerce companies, such as online auctioneer eBay.

Click here to read more about the XSS bug in the Acrobat plug-in.

In its third security bulletin, Adobe shipped a patch for a potential vulnerability in ColdFusions URL parsing code that it said could allow an attacker to access directory listings in the softwares installation directory. Using a specially crafted command sent to the ColdFusion server, an attacker could gain access to the directory listings, Adobe reported.

The specific Adobe products affected by the flaw are its ColdFusion MX 7, ColdFusion MX 7.0.1, and ColdFusion MX 7.0.2 programs. The company indicated that the ColdFusion issue is remotely exploitable but said that the problem is specific only to some Windows installations of the software.

Much as vulnerabilities in Microsofts Windows and Office programs are magnified by the sheer volume of computers running the software, researchers said that the Adobe flaws must be considered serious as so many individuals and organizations use the companys various desktop publishing and development products.

Researchers at McAfee said on the anti-virus companys Avert Labs blog that a recent rash of problems with Adobes PDF technology, numbering six in total, should cause concern among people using the software.

"For many, the PDF has become the de-facto standard for exchanging documents," McAfee researcher Karthik Raman wrote in a blog posted on Jan. 9. "In using PDFs, some wish to sidestep the risks of malware-prone Microsoft Office documents, but with the announcement of six new PDF-related vulnerabilities in several security forums last week, we should all now be more careful with PDFs."

eWEEK Senior Editor Ryan Naraine contributed to this report.

Check out eWEEK.coms Security Center for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at Ryan Naraines eWEEK Security Watch blog.



  Reader Comments: Adobe Patches PDF Reader, ColdFusion Flaws
>>> Be the FIRST to comment on this article!
 

 
 
>>> More Network Security & Hardware Articles          >>> More By Matt Hines
 


x}ks۸qf89zۑR%:-KOR[(H"yHʎfvrkd;8["~$IG=!hnQ?sF3齿O$o}(s-G7^=A-wu E]}4 99r z=>%?w *s=NN5KԜLxc&l es`p,="8Oud?XX$1qHˑh] ( /w,stDǎH*C'x8ӽi/DeO؀IQIM"x<&j>wn=ݣ723X]~jkC2pj9:TN`UFfnڭaㅰH A=c9p<^- Go#*YNrDƞ4HCKh;FýбF)u 5`r*jXtGL: nK>1`:xtDzf@h ɠâq!_Cp`eFWKjF=2}hG' :a;6]fu~ƷP7n'3GdYAvQKvT'`>6#ݟR~ 5OLEsؗCYG3fXqi 푦J5(GJ\S#x>o#޷L{DUyÙ5{JY4E].;gW9([pnKVj0n{'ݏ7q@α{A> Vb;}" @D%\.fI"0i56ttXOB^ $9@FI?j;jkMюR=2,f3}3+i*5$NߒL-~k~>EN,[SAT4 行ĠK`W:k4^tܜn.9n:MvIs!)|r!pgs Z_Zv<-_=ro,rG=jiTj{S{t&޺p|9!9Io 'ȿ۾Bd}#$7$̏Q5 x#J 9"3E@- uj 0k:j56kiJ )B:%yWϝ5>Hr Ca)#8?S%Wi8@r-XSl \M4x N2X U >hI,E[!fT}N}%I FBzBp4NQ}Y}vi|Q}Ѧޣ83ݘI70i\+Gݺ~NnXŞ*Fԇ9[i50CA 6v|scм`y&nAܙ@[3衟#]ӽ:?A2/?>fxsܧP}MrA}1g`sDowiChnPBԆ!~9.b&;A/tKt=JIAF"D%  h4AǰEEN@@w;.VKŤ\*1=Ri !sg RKvn KŔ=*%nqR%a 3ʬ$&vφa[LboD6], S m-muk{XT4V§#&c0a z {[W5ܴF K0Pl;i`0Ԑ(ʲEg9@Ϲp4ğN'=ǺdmA 9g߃)兏u5dMjE3ӆ4$rW"Ch#2!jԹǦZ&;TN`cܒn86h{Ͱ&QoTM?>yBOM\naDP$7:O̯'ܑ-Ӿ/߄V )9vC\D ry͚X 4ؐ|ƓBw7Cn^ښIJ:#w4)dzz#J}tG)'SgFFJ V zh'Nѫ>Ug plTo-V,~%fsP*WuR@_F&ۊx A-ژ WZڄ"JMP>L2Cɣ($mU2LkInPx{8`O1k=0\Pe_M }d2waՒhXj|-[Y`B^eܠQI ~c &ʥ ë;q\czu@nztq˱3 m0TN#}0 ;u- SO5,vFVfJ-  o _%tp:P[%n//+ i{u]ؕ.R\lh>n GC= 0ɉV*a0؋TMk <ݝvmļZB_@iXԗKJAUc/`kLĽf2,rƎe9وAF CQ>-D.L{ jpj Zqqf~~~0,Ly.Jo>:VN0\}OДa˘34|q6L,*IH砉bAQ OkMf٧gL副3 h0ցq_HEy[pp\U.(L,:j1-[ Hg [Qzo3C zoA$zcK& GpӞrVyC濚?O~4T+BZ= QQT*߬Ps1)'@S$f|0Ɓ3STb/Nݷ7zs4gRJo0t*tȕ`s|eLFjAB;?kJC4By^FBDVAE #ӣFptoգ)u7qfv9Aخ crFm1qW;'PR(zg}ѲIPё1[D {@nUESU[K[3]V< OQ: lzCx `QtEa&JiE[ `{IMz,O1)"_pkx豸2] QB|5z0f&QafY[ ⺪TjՂʾ_YN+^> )#@ `! Kx{ZCAk1۩Dw\܁c2P>H(Tg7gME]ac6U{zn&)Z-MӓU;4 OcIۛGoj-r<9E7"=_`%SQl7xv@̬}#u6霎0Fy-0>i[FL4Ω$2 خCg^a+w9e>c'WwO}VApA JǸ}sWn~U=_)Xb9JiRx` fΌ|li {o$2Z9p驔rgPWtqM×o[?nHCo`sߪ 车OQzQ|Z%&j|$}PQ]|U&CUX)TԒ?IXncEZ{"ZAX_xLl AKl!/`.R(c/Z4["X.)DД7ϰ3Rb kQh2Fyq'̕%$X\%=QXu@Z:h/ UH6neUT tVB 'I= g?amy`:JU4qy27(kML7 xG ʟ?9?qw@ 02Nr|(VVJr=ȅ9qC` H\Q"Y @rrjT Gr2RDBZNBq<8N+& oRٟ:sɖBz/$DDOCVjgX& 21ǟM1HWW_(1A A D@";n߱?% ?S-Ѝ)8gMX1BNrE])7V4}ڽK͋C<4zGNӽ<䭃b>"gλ~&`}/{4.ЇR!)XԼwpْ:wm~t1} }LAIP 4 5>"!}ׇ̿{9gEU\;li? `yBr+~{!\4u.ŗtOk~Rw.R1~JdG yywyru8+Dyy|ly0amG 'Lkd܃a+H0 RX׭5'^ t%V}Xxr!q(a4lS5/Q Bb/߅!|JgG<AP#{ r P)'$N):cϻ;H4BL0BD_XJI!)W$f'eMr gaBxYa1~8rfi?%>iפybAc$H~"`@wGL|9~ſ§G' ;s]#'伉a-^QW{20t[dϟؗ_{vOKr4]9ngUcf{I2$BUUk ʾZEVeΜtٓ^t2<>:kx7Yu (f~X:pGʤsmmf<ݸ+gkf1rje}|} ~ ]=PI=w)~=Ғ(r_&ZD Np5Q{qI9.p}?,s`\TzH^8Xڃ}coD:*p&^<{c Z~‡i4&Km<^tFr:? G OfxիR\P`-ݺܭ1J3"q#ĠHߙSsEs _534:as*|"ZyVa~5ߊ:"Y1!Qfm!ZP|;ߎ93{K8j TWeϦ߂C !C94y˭0L  ܛ'VDe86[b[05| ttfڰJ;~ːudqPBn!Qh_, @ExCΕ&QrqvoC^}a%;-n*as9:-6zɄEY8nIb,OZf!::Qu4'U1!aBȂn2 *Aj 9Մ@[vK8NymXi첎|D>ގbeF)HnjqXP1xf~͗dBwb8KRKgI!CBrǕ'_tꐬdg"ǔ'YN&iIRYқH,3 69x| 1aԗuz"λ$NxX(S4ɁVhRbrb/?:]'Ge#z s_Ő O F@/xkZy]/WU-؆IQy%P?bPP1T=$LyWvP4T8r|m`/}[Eq (R$E:zΌJWtxR-Uj0JE,+f칤`XG jOE @,sLSMS2+ԓx*+"7^![K*i䱼 r՞\BEhOXKoT) i**5;u/UjV [Zs@B؄&W@'Z^! ٯ]OCQIM-<#).MgpJNC]86~.+J)>98d@$˒IǠAkmi!xޗ9u*u]jw10ɼ6W0`a@^M0~D2 $RܖdJN2g-_ļXS(YEr Тˢyq6TQ(mIQs{/9cQcJYPt .7 .#d*ZZ $|F$I$` E~EJGLڜz}sGS4I-lKzg'͎|{1,eN033t)|,"JX( "$,^펊 ycwvU ^p7~ř0_\U EV*? ˫w +Ɨ.RgDu st5ś #I_}r ͺciF[n34?r~S )~ՙp,K'" `Vei3%ZV 7VI'p8Ob$BH 0m? gؒBLu{9f;W(R["D kl 9U+HxO#8xΖs\js|9[D9 -tʤ}.a[SmW3,1,cJ@0 [.k$j$ J7ϊϊsBےjKfsLdzs3R0/s"MKצzmUyZi LdrA3!k"04gg%>ܴ_$X? ;5k/aa]" 5``fg gFةdRdR.Ay X,P{$HlGJI S. xzG8<`=% Q(4&I(}.RPS_ tH+IRlIc,XaBC-6kD?|u\84V}k7hJ$d$]9#Ch:WI#ykLKciy]=RG8ofB B %"h{4mض7z ?euF& @H)u*nг:$Lu{!h4:-\/C؇LCx,4$"Yx(q!bq<߈;̤3|c'<ٳ娓t(>M9+SǛ 2"0z[k FD/FRRgI~CQtl1(i<歗_{a-=@ȹ7/\aC 2߆A5? g35,ӓby7Hb`9gP)}JxJܱ `y]5U_nʸj븺e)V$ޢ&w '5Osb$jycrmo߃ QQ=6۬WǼEHvj}cb$嵙tm{}Ʒi``W۲:ư>/p=uaYmZ8Gg]I:c5HLneiw>h<[y{©وj|ubCF$tF87?ҷD+⌱fnmO %s_fJI4PW"J+ɻtF`{ӳp s瘣W 5وy_ڳK۪_xZأIe^le-#IO:,Zh{8S[~xz1̜C1gP10&+3#߯·xq{Q=cܧ{7~ٷ@(Ro\kE_A-Ĵhgϡ6 ?.n'Cz-11^\?D>z/* O2?FWeA:^oۑߗ DŢW\Ѻ= !kjb`!wN4#|niIAehX4Ay~r,zb?EW-}8TDpvCUrBYm2yܕĤAI҂B46ĨW\ϔn"9H@ßGñ:-FXy-D9D NE7wyaWY`<҈ǸPFPxAiLn:keabư1fSYhe[!ncb9Wj\(.IQ:-~e=_@FS3 n /TJ9tk`ɣ.j"+, JD<xo-F5֠˷lo?)fF<&L8`;by=VڹqwzRKo^;G'inVu&CKo#On@)Op'찔k?1c6;,%PAƮ}8M/k瓔KPI ף:̹O$pMDF0ۆU 2i#7Cy^F3}qݗ'V5U*5YQ%OR;Urs0'\=}3P="QGlTҊj95Y Rr ,6aN]y(F<<~Q,턂R!Fғ>AĘ}ob>>-œ>V-V]M5@^(]LiB])n.WݹHu+nl@,l6ÝjҢ3+vl"6\%pKp|{ 1Xz"f63ZI B\,=_!Ƙ`QLj TTbЭB1˪M;InP}wY?e=` '^jn_(5 /U@8AnKi${ v tL'`߄>FS@.M Arj$Ǘp =<|6ڄy빟iDž$YcGN`_ !ԓGĽ)׀!gxRWH7}H['鍀I"䏖+62sjly /uhߴsrپ靷u=<@Ѕ3Gym"'Z103 3E[҇a9~L'L$EuE)fc<a]mк|UH_ |9@G)׼9Ĕ#S[޾y}SjJ՝ cpT`sjd5B&t857>|?_ziJ0%‚ 5" 7n#BFxL1fH'i֜iĄA|BY_j :u@>v;WZj !1gGi>'߀1BJ P"08y (bWE@O-,(ωB5D*%n67PF-<~4 u|``EP00a|Lo?gQP/nΆt'@ff9p͒w\j:rtT(ʁ2|{C@uss<RS¤vxX-><' .yHcI ^iN4X+lN7Lzwj@p),f,TՊR &uUu]j)q^]x YV^"_ӄ\I \A] / PIZ WuG17u0 }a3B};X`n'rڽ&Mrznއu^y0a[kN|SwO'ݫOu粟kxS6M&ƋBy22 ͋6Sr=\H^Eƒ<^;OKvYGcqy v^< NL*a^e=DM@*}u7G#PlW?fgz uӲr :Ogg:.?.c3ԢF p7x`:X)` /\js@1@C|kO{5Bx_m9g埡sF5_o.?i63ʻP(GJo.oZ(?\~ 9;6urN+2ʡsQd}/x(6 xd\/2/~/2{"c@yyAȣ3Ϡ,P ((̘K ̘..ȟn|fȗ+ 2޿Π11>_?m.!>BǬrnj}} dd  M%u$e!(ofY NOoT8\8^JeYWa uyQ^ yVV<^`fkWx.rf e{)[?[;W'Vr]!,.5PUZk3/Y3ݴ6q cm{}eh}1Ɨ^Z%/ޤls-D4{HO8ѭ<\zI[F4YQV=.v8)n7 pK|` nsOkr>uxvY^][X;Yo%P.CIsge@ܐ4([ԙqeOޢD)+Fy5b37>RqFPg^u= :!Y>Y"x}s&pJ!J8?0HM׳pNť8 a箩%7=xzK=sq&`ꣁa@R'9w>EM++J9wwrHi3""CQ5YUdJ.'jeV*V&K=3 .=m^d fGZCO3CX)ḇ}̺l%@ P1=:1e{TU|y3KB`XT;7I5@18Lo9Xj-/#RQW!+\@ř_pot1R  {{[1g7ډe:鄓q8SsӄwYADsW8v[h xqfڔSF Lwzxԅ&`" >oٔ^^C~ N*˗ X627\<'|sӸ [2FdX jXJr 9;9߭Z$ǖD}I\#u{̪ E}Q!je:p/ipx\C3l[px fL~Ʈ.'%x^ȗc?Hwi dd3b=^(u 61-dt{z$Ok ̄Qxy|?I*_yl xdDأCDOv& @Cǹ~rh`=)gE\}T.q " 2HH 2s{D|%{j=S%n29v&Y r:'쭰F |m'\1SSFӹ"=ǚ X?(IÄ)mød |A«E/=ׇ"cX =`?EbС2WSXnA}FV$5௛B|z^Dl, - O*_H^mMqKBljmIm{X|@ăx!$[0Wp\eC[gI2D~{F=&*P=Fm- e'.r}7{ /ݤd/+2b%vl#i*iVХۈ oX)un'|oȯ)0XPi.yᲁe":} S sgTt|!,ڍNM[ U|ٱsh0Ŭ‘Ѷz SO~l^(Co 66x}҄ut^pgUvy*s*>`H6A1^<;z[&Tc :ۓ|? Oe Mt8/o9kn>7Q$L{ izQڃˤ`+L- `⎈me@eV9H\*,Ef  ΋?FV) 3/: Ǣ8BU(];6s/>^|˼kAўYnw0w>L/#]ZFC`p ۂ{wXiWeJpC)tO˞č˰ANxA_X (K#LwEN8u vKѺ v7" a^n1n-/ـ9&@r=֏*.ufil6r!* XGڢFMQaW:~ib=x{&*kW؁nl`Tq9AngNb 2{~w!Ǹ 0tczo~Z[8K cd.XI@ qk,Ma4,Lb5"[]QI(`vX33},@a)5\BO SoO80Ux|-h\};X\9i,8LgѼ8"Hxxw9+[Ѐ7H>Y;PE"1s1GN= `5>gvC%݄6:L]Ll&j1Bi>c1bfrW`2M.<jgWP Y-f1!Dv88)ҡCCĚR!*aڇl*~H&,{+нD~xFs-^8Q> χ"@Ă+"e}q$YˌhT*.㉋oڝwg5'u nw-)h!/-(ZNN`)Xfչ|S%ȕ/2f#-<#@隣J"4&o(FҢ̰Ge=)jaKmN~늘P%On6PUN9KIk^iLNƇZڱ wm<lx61T&.h*