Internet Security Systems - AlertCon(TM)

Serious PDF Cross Site Scripting Vulnerability

Posted by Tom Cross on January 04, 2007 at 5:46 PM EST.

A very serious Cross Site Scripting vulnerability related to Adobe Acrobat has been disclosed. An attacker can post a link to any PDF file hosted on any website, with some malicious JavaScript following an anchor at the end of the URL. This JavaScript will be executed in the security context of the website hosting the PDF file. This can be used to steal website access credentials or cause a score of other problems. Unfortunately, this means that no website that hosts PDF files is currently safe from credential theft! 

The victim need not even click a malformed link, as they can be embedded in iFrames and automatically loaded when the victim views an innoculous web page. Also, by employing a file URL with a known path to a PDF on the victim's hard drive the attacker can have their script executed in the local security context, which leads to complete security compromise of the victim's computer!  

Unfortunately, there is little that website administrators can do to protect themselves from this vulnerability. There is no broken software on the server side that causes the problem. The mere presence of a PDF file causes the issue. Furthermore, the malicious script is not sent to the website in the HTTP request, so there is no way to prevent the attack with a server facing IDS system.

Client machines must be upgraded to version 8 of Adobe Acrobat.

This is the worst Cross Site Scripting vulnerability in recent memory and really a perfect storm for Adobe. Financial institutions and other web site operators who have serious security concerns with access credentials may have to move their PDF files to a different domain than their primary website, or forgo the format entirely. The clock is ticking. We're already seeing numerous exploits in open circulation.

Update: The original advisory for this and some related vulnerabilities is here.

Comments or opinions expressed on this Weblog are the opinions of the authors alone. They are not necessarily reviewed in advance by anyone but the individual authors, and neither IBM Internet Security Systems nor any other party necessarily agrees with them. The views expressed by outside contributors and links to outside websites do not represent the views of IBM Internet Security Systems, its management or employees. All content on this Weblog has been made available on an “as-is” basis, and IBM Internet Security Systems shall not be liable for any direct or indirect damages arising out of use of this Weblog.