Covering J2EE Security and WebLogic Topics

Serious Adobe Reader (PDF) Vulnerability

Permanent Article Link

There is a very serious Cross-Site Scripting (XSS) vulnerability in Windows versions of Adobe Reader less than 8.x.

If you have a website that hosts PDF files, your website is vulnerable to session hijacking since a user can have his JSESSIONID cookie stolen. There’s little you can do about it server-side since it’s a browser/plugin problem. Server-side, you can either not host PDF files or (possibly) change your MIME type to something unknown.

Users themselves can have a host of bad things happen to them with this exploit. See MSNBC for more details in general terms. For technical details, start with Jeremiah Grossman’s write-up.

The solution is to upgrade to Adobe Reader 8. Adobe says that they will have patches for older versions if people can’t upgrade for some reason. You could also turn off JavaScript or tell your browser to open Acrobat outside of the browser, but getting the new plugin is more fool-proof.

Seriously, don’t go another day without upgrading. This exploit is going to be huge… :-(

Posted in Miscellaneous January 5th, 2007 by Mike Fleming |

Bookmark this post on del.icio.us

2 Comments

  1. Hi,

    might be a bit off topic, but I also very much dislike that Adobe Reader has JavaScript capabilities. I recommend anyone to disable JavaScript in Adobe Reader.

    Comment by Torsten Raab — January 16, 2007 @ 7:17 pm

  2. Thanks for the tip, Torsten!

    Comment by Mike Fleming — January 16, 2007 @ 7:52 pm

Sorry, the comment form is closed at this time.

 

Bookmark this page on del.icio.us