Covering J2EE Security and WebLogic Topics

Serious Adobe Reader (PDF) Vulnerability

There is a very serious Cross-Site Scripting (XSS) vulnerability in Windows versions of Adobe Reader less than 8.x.

If you have a website that hosts PDF files, your website is vulnerable to session hijacking since a user can have his JSESSIONID cookie stolen. There’s little you can do about it server-side since it’s a browser/plugin problem. Server-side, you can either not host PDF files or (possibly) change your MIME type to something unknown.

Users themselves can have a host of bad things happen to them with this exploit. See MSNBC for more details in general terms. For technical details, start with Jeremiah Grossman’s write-up.

The solution is to upgrade to Adobe Reader 8. Adobe says that they will have patches for older versions if people can’t upgrade for some reason. You could also turn off JavaScript or tell your browser to open Acrobat outside of the browser, but getting the new plugin is more fool-proof.

Seriously, don’t go another day without upgrading. This exploit is going to be huge… :-(