|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
[ISN] Adobe releases first set of patches for cross-site scripting vulnerability
From: InfoSec News (alerts
infosecnews.org)
Date: Thu Jan 11 2007 - 00:36:30 CST
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
http://www.networkworld.com/news/2007/011007-adobe-patches.html
By Ellen Messmer
Network World
01/10/07
Adobe late Tuesday released the first set of security patches to address
the cross-site scripting vulnerability disclosed by European researchers
late last year. The flaw allows Acrobat Reader v.7.0.8 and earlier
versions to be exploited by hackers.
Left unpatched, the vulnerable versions of Adobes Reader, Acrobat
Standard, Acrobat Professional and Acrobat 3D let an attacker easily
include JavaScript code in a browser session so that when a user clicks
on a malicious link to a PDF on the Web, the attack code is activated.
There is no vulnerability associated with PDF itself.
The latest version of Acrobat, v.8., released in December, isnt
vulnerable to the cross-site scripting attack. But because researchers
Stefano Di Paola and Giorgio Fedon drew attention to the flaw when they
presented a paper at a Berlin conference in late December, Adobe has
been working to address the problem.
Adobe strongly urges Adobe Reader users update to the latest version,
Reader 8. Adobe Reader 7 users who wish to stay with their current
version can follow the instructions outlined in the bulletin, Adobe
advised last night. Adobe also issued recommendations for a server-side
workaround for Web site operators.
Adobe labels the cross-site scripting flaw critical, and many security
experts say its one of the worst security problems they've ever seen
given that Adobe Reader is so widely used for viewing PDF files.
Its the prevalence of it, notes Amol Sarwate, manager of vulnerability
research at security services firm Qualys. Theres an Adobe Reader
installed on almost every desktop.
"This is so very dangerous because it exploits a random PDF on the Web,
says Billy Hoffman, leading researcher at vulnerability-assessment firm
SPI Dynamics. I send someone, the victim, a link to a legitimate Web
site. The vulnerability allows you to put JavaScript in it, executing in
the clients browser. Then, I can simulate the victim at that time.
You're piggybacking perfectly legitimate commands on top of PDF."
This is the biggest issue in security Ive ever seen, says Danny Allan,
director of strategic research at Web application security firm
Watchfire. Its extremely easy for someone to do this. Theres nothing
difficult here.
Spam-filtering appliance vendor Barracuda says it has updated its
equipment to filter out spam with a URL link containing JavaScript for a
PDF. Theres no reason a URL to a PDF file should contain a JavaScript
for a PDF, says Steve Pao, vice president of product development at
Barracuda.
An Adobe spokesman says Adobe expects to soon post additional security
patches for the cross-site scripting vulnerability for Adobe Reader 6
users.
_____________________________
Subscribe to InfoSec News
http://www.infosecnews.org/mailman/listinfo/isn
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]