Researchers Discover Vulnerability in Adobe's Acrobat PDF Software
January 3, 2007                 19:22

SAN FRANCISCO --  Computer security researchers said Wednesday they
have discovered a vulnerability in Adobe Systems Inc.'s ubiquitous
Acrobat Reader software that allows cyber-intruders to attack personal
computers through trusted Web links.

Virtually any Web site hosting Portable Document Format, or PDF, files
are vulnerable to attack, according to researchers from Symantec Corp.
and VeriSign Inc.'s iDefense Intelligence.

The attacks could range from stealing cookies that track a user's Web
browsing history to the creation of harmful worms, the researchers
said.

The flaw, first revealed at a hacker conference in Germany over the
holidays, exists in a plug-in that enables Acrobat users to view PDF
files within Web browsers.

By manipulating the Web links to those documents, hackers and online
thieves are able to commandeer the Acrobat software and run malicious
code when users attempt to open the files, according to Ken Dunham,
director of the rapid response team at VeriSign's iDefense
Intelligence.

Dunham gave this hypothetical scenario: an attacker finds a PDF file on
a banking Web site. The attacker creates a hostile Web site that links
to the bank's PDF file. Included is malicious JavaScript code that will
run on the unsuspecting user's computer once the link is clicked.

"PDF is trusted and tried and true _ everyone uses it," Dunham said.
"But instead of just viewing the file, you've initiated script that
shouldn't be executed. All you have to do is click on the PDF and the
ball starts rolling."

Representatives from Adobe did not return a call from The Associated
Press on Wednesday night.

The flaw appears to target Microsoft Corp.'s Internet Explorer 6.0 Web
browser and earlier versions, and Mozilla's Firefox browser, the
researchers said.

They recommended that users protect themselves by upgrading Internet
Explorer or changing Firefox's user options so the browser does not use
the Acrobat plug-in.

Researchers said it's unclear how pervasive or harmful any future
attacks might be.

"Given that it is easy to exploit, I would expect that we will see this
method used considerably in the coming days and weeks, until it is
resolved," a Symantec researcher said in a posting on a company Web log.