Ah yes, another year begins and yet again we are faced with a potentially far reaching vulnerability to deal with as we shake off the excesses of the holiday season, remember the .WMF vulnerability from last year?

There is a lot of activity on various lists regarding a cross-site scripting vulnerability that has been discovered in the popular Adobe Reader browser plug-in.  Not only does this vulnerability have the potential to compromise client/end-user systems, it can also be used to abuse the trust and reputation of any organisation that hosts .PDF files on their website.  The vulnerability is triggered when a user follows a JavaScript embedded hyperlink pointing to a .PDF file.  As the vulnerability is in the client software there is no need for the attackers to compromise a server, they can simply point to .PDF file on any trusted site and allow the plug-in to subsequently run the attack code. 

Adding to the potential impact of this vulnerability, is the recent zero-day vulnerabilities for Microsoft Word documents which still remain unpatched.  With the addition of this Adobe Reader vulnerability many organisations will need to rethink what type of files they will allow to be transmitted into and out of their organisation via email and indeed how to disseminate information in a secure fashion.  Maybe the plain old text file will make a comeback.

Symantec have a good write up on this problem on their site as do McAfee.  The SANS Internet Storm Center also has continuous updates on their site and according to the diary entry relating to this issue the problem is addressed in Adobe Acrobat Reader 8.0.  The problem also appears not to affect Internet Explorer 7.0 but does impact Firefox and earlier versions of Internet Explorer.

If you are not in the position to update all your clients to Adobe Acrobat Reader 8.0 or to Internet Explorer 7.0 then the following steps could help mitigate the problem until a patch is available or you can upgrade;

1. Disable the Adobe Reader plug-in within web browsers.
2. Turn off JavaScript support within browsers.
3. Educate users of the dangers and advise them not to click on any links to .PDF files hosted on the Internet, especially in emails from untrusted or unverified sources.
4. When browsing the web, alert users to be wary of links leading to .PDF files and no to click on any links that contain any unusual text after the .PDF extension.
5. The above could be reinforced by using your email and Internet content filtering systems to block any emails or web traffic with suspicious links.

For those of you worried about having your reputation damaged by attackers using .PDF files hosted on your website, you may want to consider whether or not you leave those files available while this vulnerability is widespread.  This could however have a serious impact on your web presence and how you distribute information via your website.

I would suggest a discussion is held with senior management within your organisation to highlight the problem so that a valid risk assessment can be made and based on that discussion the steps to mitigate the problem should be decided and implemented.

Oh and Happy New Year.

UPDATE 05/01/07  Apparently this flaw can be used to access files on users’ local drives PDF Threat Worse Than First Thought.