Adobe plans to fix Reader flaw, just not now
When you produce two wildly popular platforms like Flash and Reader then you can expect to be targeted by those who wish to exploit them for gain. Such is the case for Adobe, the developer behind both applications. The company is a constant target for security exploits and malware, with the vast majority of "update Flash" pop-ups on the web being fakes that lead unsuspecting customers to a bad end.
The most recent is a flaw in Reader, discovered by McAfee researcher Haifei Li. To be fair to Adobe, this one is much less of a problem than some previously discovered. Li writes that "we successfully identified that the [PDF] samples are exploiting an unpatched security issue in every version of Adobe Reader including the latest 'sandboxed' Reader XI (11.0.2)".
In concept, when a specific PDF JavaScript API is called with the first parameter set as a UNC-located resource, Adobe Reader can access that UNC resource. However, this action is normally blocked and creates a warning dialogue which is asks for permission. No problem. However, as Li explains, "the danger is that if the second parameter is provided with a special value, it changes the API’s behavior. In this situation, if the UNC resource exists, we see the warning dialog. However, if the UNC resource does not exist, the warning dialog will not appear even though the TCP traffic has already gone".
McAfee, while saying that it does not consider this to be a major issue, does consider it a security vulnerability. The company has detected some PDF samples in the wild that are exploiting this issue. "Our investigation shows that the samples were made and delivered by an 'email tracking service' provider", Li writes.
And what about the Adobe response? The company briefly acknowledges this latest flaw, telling us "Adobe is aware of reports of a low severity information leakage issue described in a recent advisory. A user’s IP address and timestamp could be exposed when opening a specially crafted PDF. This issue will be resolved in the next scheduled releases (May 14) of Adobe Reader and Acrobat".
The problem is, indeed, not a major threat, but the word is now out there, which can potentially compound the problem. Common sense should tell customers to not click on email attachments from unknown sources, or even from friends, if the file in unexpected. A better solution is to use a different PDF app -- both Foxit and Nitro are free, and much less targeted.
Photo Credit: Cartoonresource/Shutterstock