Pluralsight blog Where devs, IT admins & creative pros go for news, tips, videos and more.
Supercharge your skills with expert-authored tech & creative training. Unlimited. Online. Get it now →
January 9, 2007

PDF Security Issue


Here is a little warning for all you Adobe Reader users.

According to “an error in the Web browser plug-in of Adobe Systems” tool lets cybercrooks co-opt the address of any Web site that hosts an Adobe PDF file for use in attacks, Symantec and VeriSign iDefense said. An attacker could construct seemingly trusted links and add malicious JavaScript code that will run once the link is clicked,” they added.

This security problem was first discovered in late December at the Chaos Computer Club conference in Germany.

At first it seemed like the problem was concerning Web-related data only, but now it has been announced that there is a greater risk. The fact that the JavaScript points to a PDF on a site gives the attackers limited access to the victim’s computer.

However, it was recently discovered that if the link points to a PDF on a local computer this is much worse than an attack from a remote zone, such as a website. The malicious link has to point to a PDF file that already exists on the Web, or on the PC. 

And this is fairly easy to do as the Acrobat Reader comes with a demo file that is installed to a default location. The script code may be used to read or delete files, execute programs, or even send contents to the attacker.

Adobe is aware of this problem but did not verify this issue yet, and they are still evaluating all possible scenarios.

In order to protect yourself from this threat, you have to upgrade your Adobe Reader to it’s latest version that was released last month. Adobe is also working on updates to previous versions of Adobe Reader and they should be released soon.

About the Author

(MCTS Active Directory, MCTS Vista, Network+, Linux+, Project+, PMP) is an experienced Network Support Specialist and an expert in Windows Server support. She graduated from DePaul University, Chicago with a Bachelor degree in Network Technologies with highest honors. Gosia has over 8 years of technical and support experience and has worked as Systems Administrator for a high profile law firm, where she managed the Backup and Disaster Recovery plan. Gosia has been a part of the Train Signal team since 2006 as the Product Manager and has written many articles on a variety of topics, including Exchange Server 2007, Windows Vista, Small Business Server, and more.