Acrobat flaw could spawn Web attacks

Spread the love

ZDNet is reporting today on an error in Adobe’s Acrobat Reader that could allow cybercrooks to take advantage of websites that link PDF documents.

An error in the Web browser plug-in of Adobe Systems’ tool lets cybercrooks co-opt the address of any Web site that hosts an Adobe PDF file for use in attacks, Symantec and VeriSign iDefense said. An attacker could construct seemingly trusted links and add malicious JavaScript code that will run once the link is clicked, they said.

For example, an attacker could find a PDF file on a bank Web site and then create a hostile link to that file along with malicious JavaScript, Ken Dunham, director of the Rapid Response Team at VeriSign iDefense, said in a statement.

“This vulnerability makes it possible for cross-site-scripting (XSS) attacks to occur, to steal cookies, session information, or possibly create a XSS worm,” he said. XSS attacks put online accounts at risk of hijack and feed information-thieving phishing scams by allowing miscreants to use seemingly trusted links to point to fraudulent Web sites.

To mitigate against the new threat, users can upgrade to Adobe Reader 8.

As I look at my web statistics for various sites that I operate, I’m still amazed at how many people are running Internet Explorer 5.5, sometimes 3.x. It’s always a good idea to upgrade. Given a choice — and you do have a choice — I would recommend Firefox for Windows users. But if you do use Internet Explorer, you should upgrade to the latest Internet Explorer 7 if your system can handle it.

Yes, there are still some people using Windows 98.

But certainly upgrade your Adobe Reader.