New Adobe Acrobat Flaw Resembles Old
Last September, the French Security Incident Response Team (FrSIRT) discovered an exploit made feasible by way of intentionally malformed arguments placed to certain methods in Adobe’s Acrobat Web reader control. Adobe advised its customers of the flaw in November, and issued a patch for Acrobat 7 in early December.
But when a pair of Italian security engineers demonstrated a new way to exploit the same flaw, in a presentation before a hackers’ convention in Berlin just before Christmas that at one time was supposed to have been entitled, “Hijacking AJAX for Fun and Profit,” FrSIRT picked up on the news as though it were a new discovery, issuing a fresh security bulletin.
The second alert, not the first, caught the attention of Symantec, which yesterday posted a blog entry with the gripping headline, “When PDFs Attack!” And it’s Symantec’s response to the second alert complete with Symantec’s advice for how Firefox users can immediately protect themselves against the danger of URLs sending malformed parameters to Acrobat, that has press sources today sounding their own alarm bells, some of which are actually touting the potential exploit as a “Firefox flaw.”
The Italian team of Stefano Di Paola and Giorgio Fedon discovered that the already-published malformed address problem – the one which FrSIRT found first, but whose existence the same FrSIRT learned about from Di Paola and Fedon later - could be exploited by means of an Acrobat feature called OpenParameters, which enables parameters and attributes to be sent to Acrobat’s embedded Web browser control by attaching them to the end of the URL. The original FrSIRT advisory omitted any mention of OpenParameters, although like a police press conference that intentionally omits certain details of the crime, the original advisory may have intentionally left out any description of what is probably the exploit’s only attack vector anyway.
As the team’s documentation clearly states, a URL can be intentionally malformed within Internet Explorer and Opera as well as Firefox browsers, although Firefox 2.0 appears to have been the browser used in the Berlin demo. Using information from the Symantec advisory, the Associated Press reported this morning that users could protect themselves against the flaw by changing Firefox settings for handling PDF and related filename extensions, although the advice could easily apply to other browsers.
Furthermore, the flaw has nothing whatsoever to do with AJAX, purportedly the original topic of the Berlin demo.
The US Dept. of Homeland Security’s US-CERT team has been following the Acrobat flaw since the Italian team first revealed it to the public last October. Its own advisory acknowledges three of the team’s discoveries, one of which is that a URL is allowed to trigger JavaScript code to run. This is a classic “cross-site scripting vulnerability,” meaning if one site is capable of loading another site’s page in a separate window, the first site can execute JavaScript code from the second site without warning or verification. Indeed, this does open up a world of vulnerabilities.
But US-CERT also acknowledges that Adobe has addressed the problem and may have already completely solved it, not with a simple patch but with a complete solution: Adobe Acrobat 8.0, released last September...just before all the brouhaha over Acrobat 7 started. US-CERT also says it has performed limited testing on Acrobat 8, and sees no evidence of the OpenParameters flaw in that version.
So once again, users may find themselves asking which is the more dangerous exploit: the original flaw, or the subsequent headlines?