Hi folks.
There is a serious security issue with older versions of Adobe Reader
software.
This is the program you use to view .pdf files. You probably have it even
if you weren't aware of it.
I recommend you download the latest version of adobe reader (version 8) to
avoid any problems
Download from here >> http://www.adobe.com/products/acrobat/readstep2.html
It's a fairly large download - about 21 MB
See below for more details on the security issue
Adobe Patches Reader Vulnerability
This is a first step toward fixing what security experts are calling one of
the worst security problems they've ever seen.
Ellen Messmer, Network World
Wednesday, January 10, 2007 11:00 AM PST
Adobe late Tuesday released the first set of security patches to address
the cross-site scripting vulnerability disclosed by European researchers
late last year. The flaw allows Acrobat Reader 7.0.8 and earlier versions
to be exploited by hackers.
Left unpatched, the vulnerable versions of Adobe's Reader, Acrobat
Standard, Acrobat Professional, and Acrobat 3D let an attacker easily
include JavaScript code in a browser session so that when a user clicks on
a malicious link to a PDF on the Web, the attack code is activated. There
is no vulnerability associated with PDF itself.
Update Now!
The latest version of Acrobat, version 8, released in December, isn't
vulnerable to the cross-site scripting attack. But because researchers
Stefano Di Paola and Giorgio Fedon drew attention to the flaw when they
presented a paper at a Berlin conference in late December, Adobe has been
working to address the problem.
"Adobe strongly urges Adobe Reader users to update to the latest version,
Reader 8. Adobe Reader 7 users who wish to stay with their current version
can follow the instructions outlined in the bulletin," Adobe advised in a
post last night. Adobe also issued recommendations for a server-side
workaround for Web site operators.
Worst Security Problem Ever
Adobe labels the cross-site scripting flaw critical, and many security
experts say it's one of the worst security problems they've ever seen given
that Adobe Reader is so widely used for viewing PDF files.
"It's the prevalence of it," notes Amol Sarwate, manager of vulnerability
research at security services firm Qualys. "There's an Adobe Reader
installed on almost every desktop."
"This is so very dangerous because it exploits a random PDF on the Web,"
says Billy Hoffman, a leading researcher at vulnerability-assessment firm
SPI Dynamics. "I send someone, the victim, a link to a legitimate Web site.
The vulnerability allows you to put JavaScript in it, executing in the
client's browser. Then, I can simulate the victim at that time. You're
piggybacking perfectly legitimate commands on top of a PDF."
"This is the biggest issue in security I've ever seen," says Danny Allan,
director of strategic research at Web application security firm Watchfire.
"It's extremely easy for someone to do this. There's nothing difficult
here."
More Patches Coming Soon
Spam-filtering appliance vendor Barracuda says it has updated its equipment
to filter out spam with a URL link containing JavaScript for a PDF.
"There's no reason a URL to a PDF file should contain a JavaScript for a
PDF," says Steve Pao, vice president of product development at Barracuda.
An Adobe spokesperson says Adobe expects to soon post additional security
patches for the cross-site scripting vulnerability for Adobe Reader 6
users.
http://www.pcworld.com/article/id,128488-c,browsersecurity/article.html
No comments:
Post a Comment