A security researcher and self-described hacker known as "pdp" claims he has found a critical exploit in Adobe's Acrobat software that can compromise many Windows PCs simply by viewing a maliciously-crafted PDF file.
The flaw affects both Windows XP SP2 and Windows 2003; Windows Vista, OS X, and Linuxusers are unaffected.
Security researchers reveal new Adobe Reader vulnerability Adobe releases Acrobat 8 in Universal Binary Adobe, Microsoft accused of infringing on browser-related patents.
The bug affects Acrobat Reader, versions 8.1, 8.0, and 7, either when run in stand-alone mode or embedded inside a web page. Some work-alike PDF readers, such as the svelte Foxit Reader, are also affected but in a lesser manner: they display a confirmation dialog before the exploit is allowed to run.
The exploit uses a flaw in Adobe's scripting language to automatically run an executable program—the discoverer tested this by harmlessly running Calculator and Notepad in a video on his site. Yet, as noted, the exploit could be used to run any program, including a Trojan or virus or a scriptedattack. The malware in question would have to have already been downloaded onto the victim's computer, but this could be accomplished in various ways, including putting the executable inside a .ZIP file that includes the original PDF, or linking to a remote executable (the latter option wouldstill trigger a warning by the operating system, however).
Pdp has contacted Adobe about the problem and says that the PDF team has confirmed" the issue. He also recently uncovered a QuickTime flaw that can affect Firefox users. To prevent a rush of copycat hackers, pdp is not revealing the exact details of either exploit until patches are available.Hacking used to be the primarily the domain of curious teenagers with time on their hands, but in recent years it has become much more serious and definitely about making money, often for criminal organizations. In the future, professional hackers are likely to send more and more attacksagainst third-party software, given that users are becoming more diligent about updating their operating system and web browser, but are less likely to patch other software.
Until a patch is released for the PDF flaw, pdp recommends that users either avoid PDF files entirely (not a realistic prospect in today's world) or stay away from PDF files sent to you by unknown users.)
The flaw affects both Windows XP SP2 and Windows 2003; Windows Vista, OS X, and Linuxusers are unaffected.
Security researchers reveal new Adobe Reader vulnerability Adobe releases Acrobat 8 in Universal Binary Adobe, Microsoft accused of infringing on browser-related patents.
The bug affects Acrobat Reader, versions 8.1, 8.0, and 7, either when run in stand-alone mode or embedded inside a web page. Some work-alike PDF readers, such as the svelte Foxit Reader, are also affected but in a lesser manner: they display a confirmation dialog before the exploit is allowed to run.
The exploit uses a flaw in Adobe's scripting language to automatically run an executable program—the discoverer tested this by harmlessly running Calculator and Notepad in a video on his site. Yet, as noted, the exploit could be used to run any program, including a Trojan or virus or a scriptedattack. The malware in question would have to have already been downloaded onto the victim's computer, but this could be accomplished in various ways, including putting the executable inside a .ZIP file that includes the original PDF, or linking to a remote executable (the latter option wouldstill trigger a warning by the operating system, however).
Pdp has contacted Adobe about the problem and says that the PDF team has confirmed" the issue. He also recently uncovered a QuickTime flaw that can affect Firefox users. To prevent a rush of copycat hackers, pdp is not revealing the exact details of either exploit until patches are available.Hacking used to be the primarily the domain of curious teenagers with time on their hands, but in recent years it has become much more serious and definitely about making money, often for criminal organizations. In the future, professional hackers are likely to send more and more attacksagainst third-party software, given that users are becoming more diligent about updating their operating system and web browser, but are less likely to patch other software.
Until a patch is released for the PDF flaw, pdp recommends that users either avoid PDF files entirely (not a realistic prospect in today's world) or stay away from PDF files sent to you by unknown users.)
