Critical Zero-Day PDF Bug Compromises Windows PCs

By Lisa Vaas  |  Posted 2007-09-20 Print this article Print

A zero-day PDF vulnerability in Adobe's Acrobat Reader can allow hackers to take control of Windows boxes.

A zero-day PDF vulnerability in Adobes Acrobat Reader has come to light that can lead to Windows boxes getting taken over completely and invisibly, according to a security researcher. "All it takes is to open a [maliciously rigged] PDF document or stumble across a page which embeds one," said researcher Petko D. Petkov, aka pdp, in a blog posting on Sept. 20. Petkov said hes closing the season with this highly critical flaw—a season thats included, at least in the past two weeks, his discovery of a slew of serious vulnerabilities in meta media files: a QuickTime flaw that can be used to hijack Firefox and Internet Explorer; a simple method of loading HTML files into Windows Media Player files; and an easy, six-step method by which to penetrate Second Life accounts with an IE bug.
This PDF vulnerability is even worse than the QuickTime flaw, Petkov said. Mozilla provided a Firefox workaround for the QuickTime flaw earlier the week of Sept. 17, but it can still be used to compromise Internet Explorer, as security researcher Thor Larholm demonstrated in a posting on Sept. 19. Apple hasnt yet released any details on the status of a QuickTime fix.
Paul Henry, vice president of technology and evangelism at Secure Computing, based in San Jose, Calif., said in an interview with eWEEK that PDF vulnerabilities have a strong advantage when it comes to users being tempted into opening them, giving this vulnerability the potential to become a "huge" attack vector. "From a social engineering standpoint, its easier to attach a PDF to e-mail and assume [the target will] open it. If youve got a request to launch a video conversation from someone you never heard of, chances are you wont do it. Or you wont click on a video online if you dont know where its from. But from a social engineering point of view, this is deeper." For its part, Symantec, based in Cupertino, Calif., on Sept. 20 warned customers using its DeepSight Alert Services that Adobe Acrobat is subject to "an unspecified vulnerability when handling malicious PDF files," allowing remote users to take over targeted machines. The scenario is that an attacker rigs a PDF file designed to exploit the flaw. He or she distributes it via e-mail or through other means, or hosts it on a Web page. When a user opens the rigged PDF file with a vulnerable application, the users machine can be loaded with malware that makes it open to a takeover. Symantec said its not aware of any working exploits out yet. Still, Henry warned, the PDF threat is real. "The ability to use PDFs to install malware and steal personal information from remote PCs is here," he said in a statement. "Readers should be cautioned to only open PDF files from senders they explicitly trust." Given that this latest meta media file flaw with PDF documents is so critical, given also that PDFs are used throughout the business world, and given the fact that he expects Adobe will take a while to fix its closed-source product, Petkov said hes refraining from publishing any POC (proof-of-concept) code. "You have to take my word for it. The POCs will be released when an update is available," he said. This has miffed some. "If you have nothing else to publish than Please dont open PDF Docs, but I cant tell you why, it would be a better choice [to] shut up instead [of] bringing no information," wrote somebody with the handle of Jan Heisterkamp. Page 2: Zero-Day PDF Bug Compromises Windows

Lisa Vaas is News Editor/Operations for and also serves as editor of the Database topic center. Since 1995, she has also been a Webcast news show anchorperson and a reporter covering the IT industry. She has focused on customer relationship management technology, IT salaries and careers, effects of the H1-B visa on the technology workforce, wireless technology, security, and, most recently, databases and the technologies that touch upon them. Her articles have appeared in eWEEK's print edition, on, and in the startup IT magazine PC Connection. Prior to becoming a journalist, Vaas experienced an array of eye-opening careers, including driving a cab in Boston, photographing cranky babies in shopping malls, selling cameras, typography and computer training. She stopped a hair short of finishing an M.A. in English at the University of Massachusetts in Boston. She earned a B.S. in Communications from Emerson College. She runs two open-mic reading series in Boston and currently keeps bees in her home in Mashpee, Mass.

Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel