We use cookies to provide you with a better experience. If you continue to use this site, we'll assume you're happy with this. Alternatively, click here to find out how to manage these cookies

hide cookie message
80,259 News Articles

Security hole appears in Adobe Reader

Exploits only proof-of-concept for now

A security researcher claims it is possible to install malicious code on a user's computer through standard Adobe Reader features.

David Kierznowski has published proof-of-concept documents for exploiting the ubiquitous software that are not traditional software code flaws, but instead demonstrate a new trend affecting desktop applications - the use of legitimate features for dangerous ends.

Last week, a US government research body found that attacks using cross-site scripting or web-oriented scripting languages had become more prevalent than the more traditional buffer overflows, which affect desktop application code.

"Recently, there has been alot of hype involving backdooring various web technologies," said Kierznowski in his study. He said PDF documents seem like an obvious target because they support JavaScript, but found that exploitation wasn't straightforward, partly because Adobe supports its own JavaScript model.

"There are quite a few twists and turns," he wrote. He said Adobe Reader and Adobe Professional also have very different restrictions on which JavaScript objects are allowed.

The first attack, found here, adds a malicious link into a PDF document. "Once the document is opened, the user’s browser is automatically launched and the link is accessed," wrote Kierznowski. "At this point it is obvious that any malicious code be launched."

The document works equally well with fully-patched versions of Adobe Reader on Windows or Mac OS X. It doesn't affect other PDF readers, such as Foxit or Mac OS X's Preview. Testers also noted that if the test document is launched from the desktop, it warns the user before opening the link, while if launched from the web there's no warning. "Both Adobe 6.0 and 7.0 did not warn me before launching these URLs," Kierznowski wrote.

The second attack uses Adobe's ADBC (Adobe Database Connectivity) and web Services support, accessing the Windows ODBC, enumerating available databases and then sending the information to 'localhost' via the web service. The test is found here.

Kierznowski said that because of the nature of the attack, using legitimate features, it was likely that similar exploits were likely to be possible using Adobe Reader's support for HTML forms, file system access and other features. "I am sure with a bit more creativity even simpler and/or more advanced attacks could be put together," he wrote.

He noted it was possible to backdoor all Acrobat files by loading a JavaScript file into Acrobat's JavaScripts directory. Adobe said it has no immediate plans to alter its products' JavaScript handling, but said it is aware of the research and is 'actively investigating' the issue.

Yesterday Adobe released Acrobat 8.0 and integrated it with its upgraded Creative Suite 2.3 Premium. The company said Acrobat 8.0 Professional will be available for Windows and Macintosh, with Acrobat 8.0 Standard for Windows, from November, in English, French, German, and Japanese.

IDG UK Sites

6 best gaming PCs 2015: What's the best gaming PC you can buy in the UK?

IDG UK Sites

Three of the most expensive Limited Edition games ever made: Who's buying a $1,000,000 game?

IDG UK Sites

The future of Microsoft Surface: What to expect from the Surface Pro 4

IDG UK Sites

Best Mac: Apple Mac buyers guide for 2015: iMac, MacBook, MacBook Air, MacBook Pro, Mac mini and...