By Lisa Vaas  |  Posted 2007-09-20 Print this article Print

-Day PDF Bug Compromises Windows"> Others are willing to take Petkovs word that the flaw is too critical for a POC. As it is, Petkovs credibility is shored up in no small part by five PDF POCs he put out in January. One of those PDF vulnerability POCs automatically opened a folder displaying the victims c: drive on his desktop; another displayed the file path to the temporary stored PDF and revealed the user name; and Petkov also posted self-contained, local, Universal PDF XSS (cross-site scripting) flaws: one for Internet Explorer, one for Firefox and one for Opera.
In spite of Petkovs having refrained from putting out a POC for the latest PDF flaw, somebodys sure to piece together an exploit or POC out of the other five, Henry said.
"Everybody and his brother has the other five POCs he put together. With a little tweaking Im sure theyll put them together pretty quickly," he said. "I would have to assume [the six PDF vulnerabilities are related]. Hes done a lot of work attaching JavaScript to media files. We have to assume this latest trick involves a change in something with the media files, with JavaScript. Its not rocket science." Henry said Secure Computing, for one, has been sounding the alarm about PDF since Petkovs original postings. "We raised the flag in January when [Petkov] discovered the initial [PDF] vulnerabilities and publicly released the POC code," he said. "Shortly after that we saw a huge upsurge in PDF attachments in spam. We all have to be cognizant that the POC is out there for potential vulnerabilities. This would be a very good vehicle for malicious guys to move code into our networks." Adobe, also based in San Jose, said within the past few weeks that the five vulnerabilities in the January POCs represented a low threat risk. But with Petkovs most recent finding, Henry said, "We see an announcement that at least this current version is absolutely not low risk." "I think this will create problems for us," Henry said. "Im [warning] people … plans need to be put in place to quickly raise awareness in the organization that there might be a risk in PDF files. Were informing users to not open files that a) come from someone they dont know and b) they arent expecting." Petkov wrapped up his most recent, most terse PDF posting by telling Adobes representatives that they can contact him "from the usual place." Adobe issued a statement on the evening of Sept. 20 saying that its aware of Petkovs post, has been in communication with him and is researching the potential issue. Adobe will update users on its Adobe Security Bulletins and Advisories page. Also, the statement said, all documented security vulnerabilities and their solutions are distributed through the Adobe security notification service. Petkovs advice is to keep away from PDF files, local or remote. He said other viewers besides Adobes Acrobat Reader might be vulnerable as well. He has verified the PDF issue on Windows XP Service Pack 2 with the latest Adobe Reader 8.1, although previous versions are also affected, he said. Check out eWEEK.coms Security Center for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEKs Security Watch blog.

Lisa Vaas is News Editor/Operations for and also serves as editor of the Database topic center. Since 1995, she has also been a Webcast news show anchorperson and a reporter covering the IT industry. She has focused on customer relationship management technology, IT salaries and careers, effects of the H1-B visa on the technology workforce, wireless technology, security, and, most recently, databases and the technologies that touch upon them. Her articles have appeared in eWEEK's print edition, on, and in the startup IT magazine PC Connection. Prior to becoming a journalist, Vaas experienced an array of eye-opening careers, including driving a cab in Boston, photographing cranky babies in shopping malls, selling cameras, typography and computer training. She stopped a hair short of finishing an M.A. in English at the University of Massachusetts in Boston. She earned a B.S. in Communications from Emerson College. She runs two open-mic reading series in Boston and currently keeps bees in her home in Mashpee, Mass.

Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel