The PDF Flaws are coming!! The PDF Flaws are coming!!
Tuesday January 9, 2007 at 6:17 am CST
Posted by Karthik Raman
For many, the Portable Document Format (PDF) has become the de-facto standard for exchanging documents. In using PDFs, some wish to sidestep the risks of malware-prone Microsoft Office documents. But with the announcement of six new PDF-related vulnerabilities in several security forums last week, we should all now be more careful with PDFs.
The first five of these new vulnerabilities have to do with the Adobe Reader plugin. Attacks that exploit these flaws may result in one of more of these results: HTTP-response splitting, cross-site scripting, session forgery, session riding, denial of service, memory corruption, or code execution. This scary list of attack results notwithstanding, a user would have to open a malicious web URL for an attack to occur. Adobe has issued Adobe Reader 8 that remedies these flaws.
The sixth new PDF vulnerability is also the sixth of the Month of Apple Bugs (MoAB) installment. If a malicious PDF document crafted to exploit this flaw were opened by a user, it would corrupt memory and could lead to code execution. Landon Fuller has posted or referred to temporary fixes for all eight MoAB flaws so far. The fix for the MoAB PDF flaw can be found here. Thank you, Landon!
Please stay secure against the PDF vulnerabilities, as we continue to protect our customers against such threats.
January 9th, 2007 at 10:47 am
[…] Computer Security Research - McAfee Avert Labs Blog. […]
January 11th, 2007 at 11:01 am
[…] Trackback This just hasn’t been a great year for the security of applications or responsible disclosure, has it. First we have the Month of Apple Bugs (which is finding a number of application-specific vulnerabilities), then we have a raft of Adobe product vulnerabilities. Now we have VeriSign offering a substantial bounty for people to poke holes in IE7 and Vista. […]
February 14th, 2007 at 4:25 pm
[…] Trackback In a previous blog post I warned that we should be increasingly cautious with PDFs because more and more PDF-related flaws are being released. Security experts at RSA 2007 echoed last week that corporate threats seem to be “moving to Adobe”. […]