eWEEK content and product recommendations are editorially independent. We may make money when you click on links to our partners. Learn More.
Adobe Acrobat software lets parameters be passed to the software when a PDF file is opened. Generally speaking, this is helpful. But because this capability includes opening a PDF from a Web site using a browser, and Web pages can execute scripts, Acrobat can be used to launch malware. For example, parameters may be passed in this form:
www.example.com/any.pdf#name=value
This tells Acrobat to jump immediately to a designated spot in the document. (See partners.adobe.com/public/developer/en/acrobat/PDFOpenParameters.pdf for specifics and more parameters.)
The problem is that the software supports passing JavaScript in the parameters:www.example.com/any.pdf#attacker_parameter=javascript:alert(pdf-attack)
This tells Acrobat to execute a malicious JavaScript. Previously, this sort of “Cross-Site Scripting” (XSS) has required server-side vulnerabilities and was often difficult to invoke. Now it can be implemented easily and through proper use of features. It can be delivered through e-mail, instant messaging, and many other vehicles.
XSS can be blocked in a managed network through filtering at a firewall or IDS/IPS. Individual users can disable PDF opening in their browsers. In Internet Explorer (since Microsoft Windows XP SP2), go to Tools | Internet Options | Programs, press the Manage Add-Ons button, select the Adobe PDF Reader from the list, click the Disable radio button, and then click OK.
In Firefox, open Tools | Options | Content, click Manage in the File Types section, and then, for each type opened by Acrobat, select Change Action and tell it to open the external application rather than the Acrobat plug-in.
According to Symantec, this problem affects Adobe Acrobat Reader versions 6 and 7. Version 8 is not vulnerable. All versions of Firefox and Internet Explorer 6 SP1 and earlier are vulnerable, but Internet Explorer 6 SP2 and Internet Explorer 7 appear not to be.
Security Tip
Dont Get Sucked In
The following is based on a true story. A friend was trying to sell a sofa online. One interested party made some unusual requests which, it seems to me, were part of some weird money-laundering scheme.
Scrubbed of some of the personal information (but not of typos), here is the key message: I will be able to Use a private shipping company for the pickup of the item Okay? The Cahsiers Check / Payment will be issued today and will be mailed out asap but I would like to include an extra money on the cashiers check.The extra money is for my son to pay for his school fees at the [removed by editor] University in Netherland but I am not holding cash right now but cashiers check.I would appreciate your effort and concern if you could cash the check and send him money via Western Union after you have deducted the funds for the sales of your item + an extra $40 for your time and effort in sending him money Okay?…Kindly send your name and address for mailing the payment Okay? Upon recieving your response,I shall have the payment sent out.
Who buys a used sofa in New Jersey and ships it to the Netherlands? In all likelihood the cashiers check is a fake. My friend went with another offer, as should you if you get an odd request like this.
Top Phish
Top Phish
Subject Line: Bank of America Online Security Update
Description: Perhaps feeling that the best way to deal with Bank of Americas SiteKey security feature is to hit it head-on, phishers have been mentioning it prominently. This phishing e-mail gives good advice—”Always look for your SiteKey before you enter your passcode”—hoping that you ignore it: Of course, if you click through, there is no SiteKey. You are just asked for your log-in info, Social Security number, e-mail, and, to really rub it in, your SiteKey questions.