Adobe Patches PDF Reader, ColdFusion Flaws
Desktop publishing software vendor Adobe released a trio of security patches on Jan. 9, two of which are aimed at fixing a cross-site scripting issue lingering in earlier versions of its Reader and Acrobat products, with the third targeting a new vulnerability identified in its ColdFusion development platform.
The San Jose, Calif.-based company issued two separate bulletins meant to address the XSS flaw present in its Reader and Acrobat applications, including a server-side workaround that promises to prevent exploitation of the problem in versions 7.0.8 and earlier of the two programs.
Adobe has already patched the vulnerability in its latest iteration of the products, specifically Adobe Reader 8.
The second of the XSS patches promises to directly close-off the same problem in Adobe Reader 7.0.8 and earlier versions, as well as Acrobat Standard, Professional and Elements 7.0.8 and earlier versions, and the companys Acrobat 3D software.
Among the security researchers who first identified the XSS issue were workers on the U.S. governments computer emergency response team, or CERT, who said that the vulnerability in Adobes widely-used Acrobat plug-in could allow hackers to exploit any Web site that hosts a PDF file to launch code execution or denial-of-service attacks.
According to the company, the software glitch occurs because the Acrobat plug-in fails to properly validate URI (Uniform Resource Identifier) parameters for scripting code, allowing user-supplied scripts to execute within the context of the Web site hosting a PDF (portable document format) file. According to an advisory issued by the U.S. CERT, an attack that takes advantage of the vulnerability could be launched via Microsofts Internet Explorer or Firefox browsers.
XSS is a form of attack through which a hacker injects malicious code into a URL that appears to be maintained by a legitimate source, most commonly a business. When users click on a link to the infected URL, the malware code is executed on their computer, with most of the programs designed to steal valuable user information. Among the most popular targets used to deliver XSS attacks are major consumer e-commerce companies, such as online auctioneer eBay.
In its third security bulletin, Adobe shipped a patch for a potential vulnerability in ColdFusions URL parsing code that it said could allow an attacker to access directory listings in the softwares installation directory. Using a specially crafted command sent to the ColdFusion server, an attacker could gain access to the directory listings, Adobe reported.
The specific Adobe products affected by the flaw are its ColdFusion MX 7, ColdFusion MX 7.0.1, and ColdFusion MX 7.0.2 programs. The company indicated that the ColdFusion issue is remotely exploitable but said that the problem is specific only to some Windows installations of the software.
Much as vulnerabilities in Microsofts Windows and Office programs are magnified by the sheer volume of computers running the software, researchers said that the Adobe flaws must be considered serious as so many individuals and organizations use the companys various desktop publishing and development products.
Researchers at McAfee said on the anti-virus companys Avert Labs blog that a recent rash of problems with Adobes PDF technology, numbering six in total, should cause concern among people using the software.
"For many, the PDF has become the de-facto standard for exchanging documents," McAfee researcher Karthik Raman wrote in a blog posted on Jan. 9. "In using PDFs, some wish to sidestep the risks of malware-prone Microsoft Office documents, but with the announcement of six new PDF-related vulnerabilities in several security forums last week, we should all now be more careful with PDFs."
eWEEK Senior Editor Ryan Naraine contributed to this report.