Adobe Reader security vulnerability

[GomJabbar]

San Francisco, Jan. 4 (AP): Computer security researchers said they have discovered a vulnerability in Adobe Systems Inc.'s ubiquitous Acrobat Reader software that allows cyber-intruders to attack personal computers through trusted Web links.

Virtually any Web site hosting Portable Document Format, or PDF, files are vulnerable to attack, according to researchers from Symantec Corp. and VeriSign Inc.'s iDefense Intelligence.

The attacks could range from stealing cookies that track a user's Web browsing history to the creation of harmful worms, the researchers said Wednesday.
------
The flaw appears to target Microsoft Corp.'s Internet Explorer 6.0 Web browser and earlier versions, and Mozilla's Firefox browser, the researchers said.

They recommended that users protect themselves by upgrading Internet Explorer or changing Firefox's user options so the browser does not use the Acrobat plug-in.

The Hindu News Update - Associated Press

This morning, Symantec's Hon Lau warned of the attack on the Symantec Security Response Weblog. He cautioned that even trusted websites could fall victim to this problem.

Any Web site that hosts a .pdf file can be used to conduct this attack. All the attacker has to do is find out who is hosting a .pdf file on their Web server and then piggy back on it to mount an attack. What this means, in a nutshell, is that anybody hosting a .pdf file, including well-trusted brands and names on the Web, could have their trust abused and become unwilling partners in crime.

Personally, I was able to validate the proof of concept code with Adobe Reader versions 6 and 7; however, Adobe Reader 8 prevented the code execution and presented me with an "Operation Not Allowed" dialog box. The validation was done in both Opera 9.10 and Firefox 2.0.0.1. Internet Explorer's Adobe Reader ActiveX plugin is not susceptible to this problem.

Obviously, one way to protect your PC from this vulnerability is to upgrade to Adobe Reader 8. If you'd prefer not to upgrade, Hon Lau also has a workaround posted on the Symantec Security Response Weblog.

M-Dollar - Ars Technica Journal

[NS]

Is this a new way to make everyone update their Adobe Reader to reader 8?

I have updated my Adobe Reader a few days ago and it seemed that reader 8 has got some problem when trying to open a file from my HDD.

[GomJabbar]

I have already run into problems in the past with my browser opening up .pdf files on a slow connection. If I would try to navigate through the document while it was still loading, Adobe Reader would often hang. As a result, I have had this 'feature' disabled in Adobe Reader for some time. I am still using Adobe Reader version 7 myself.

[NS]

I will not click on those online PDF files unless it is from my school. I will always view those files under the HTML version. And for the IBM/Lenovo site where you must to use Adobe Reader to read the Hardware Manual, i will always download the PDF files using my school desktop computer to my flash drive and later transfer the files to my computer.

Call me sly or cunning as you wish but this is how i will protect my own computers from viruses. My school firewall is stronger and will always have the tools to contain all the viruses in the anti-virus vault and kill them. But i do not have these advanced tools in my thinkpads/computers.