Username: Save?
Password:
Home Forum Links Search Login Register*
    News: Welcome to the TechnoWorldInc! Community!
Recent Updates
[November 08, 2024, 04:31:03 PM]

[November 08, 2024, 04:31:03 PM]

[November 08, 2024, 04:31:03 PM]

[November 08, 2024, 04:31:03 PM]

[November 08, 2024, 04:31:03 PM]

[October 17, 2024, 05:05:06 PM]

[October 17, 2024, 04:53:18 PM]

[October 17, 2024, 04:53:18 PM]

[October 17, 2024, 04:53:18 PM]

[October 17, 2024, 04:53:18 PM]

[September 09, 2024, 12:27:25 PM]

[September 09, 2024, 12:27:25 PM]

[September 09, 2024, 12:27:25 PM]
Subscriptions
Get Latest Tech Updates For Free!
Resources
   Travelikers
   Funistan
   PrettyGalz
   Techlap
   FreeThemes
   Videsta
   Glamistan
   BachatMela
   GlamGalz
   Techzug
   Vidsage
   Funzug
   WorldHostInc
   Funfani
   FilmyMama
   Uploaded.Tech
   MegaPixelShop
   Netens
   Funotic
   FreeJobsInc
   FilesPark
Participate in the fastest growing Technical Encyclopedia! This website is 100% Free. Please register or login using the login box above if you have already registered. You will need to be logged in to reply, make new topics and to access all the areas. Registration is free! Click Here To Register.
+ Techno World Inc - The Best Technical Encyclopedia Online! » Forum » THE TECHNO CLUB [ TECHNOWORLDINC.COM ] » Ethical Hacking / Security / Viruses
 Acrobat Reader Plugin Vulnerable to Attacks
Pages: [1]   Go Down
  Print  
Author Topic: Acrobat Reader Plugin Vulnerable to Attacks  (Read 1553 times)
Mark David
Administrator
Super Elite Member
*****



Karma: 185
Offline Offline

Posts: 1624

!!!Techno King!!!

fabulous_designer
View Profile WWW
Acrobat Reader Plugin Vulnerable to Attacks
« Posted: January 06, 2007, 12:31:29 AM »


Security researchers are poring over what one vendor has called a "breathtaking" weakness in the Web browser plugin for Adobe Systems' Acrobat Reader program, used to open the popular ".pdf" file format.

The problem was first highlighted by Stefano Di Paola and Giorgio Fedon, researchers who presented a paper in Berlin last week on security issues related to Web 2.0 technologies such as (Asynchronous JavaScript and extensible markup language).

The Acrobat weakness involves a feature called "open parameters" in the Web browser plugin for Adobe's Reader program.

The plugin allows arbitrary JavaScript code to run on the client side. The code could include a malicious attack on a computer, wrote Hon Lau on Symantec's Security Response Weblog today.

"The ease in which this weakness can be exploited is breathtaking," Lau wrote. "What this means in a nutshell is that anybody hosting a .pdf, including well-trusted brands and names on the Web, could have their trust abused and become unwilling partners in crime."

Any Web site hosting a .pdf file could be manipulated to run an exploit, Lau wrote. Because an exploit is relatively easy to craft, Lau predicted attacks will start until it is fixed.

How It Works
In their research paper, Di Paola and Fedon wrote that the type of attack used to exploit the problem is called universal cross-site scripting, which uses a flaw in the browser rather than a vulnerability within a Web site. A cross-site scripting attack involves the unintended execution of code as part of a query string contained within a URL (uniform resource locator).

Another Symantec blogger, Zulfikar Ramzan, wrote that attackers can exploit a cross-scripting vulnerability by creating a special URL that points to the Web page. In that URL, the attacker would code it to include some of his own content--such as a form soliciting passwords or credit-card information--that would be displayed on the targeted Web page.

When victims click on the URL--which, for example, could be included in a link enclosed in e-mail--they would be directed to the Web page. If they fill out information on a form on the page, it could be passed to the attacker without the victim knowing the site had been tampered with, Ramzan wrote.

"The result is that the user is lulled into a false sense of security since he trusts the site and therefore trusts any transaction he has with it, even though in reality he is transacting with an attacker," Ramzan wrote.

An Adobe spokesman could not immediately comment.

In highlighting the problem with the Reader plugin, the researchers Di Paola and Fedon warned that Web 2.0 applications--such as Google's Gmail and Google Maps, both of which employ AJAX--will need to be more tightly tied to the security of Web browsers.

Otherwise, the plethora of features in those applications "can be turned into weapons if controlled by a malicious hacker," they wrote.

Logged

Pages: [1]   Go Up
  Print  
 
Jump to:  

Copyright © 2006-2023 TechnoWorldInc.com. All Rights Reserved. Privacy Policy | Disclaimer
Page created in 0.07 seconds with 23 queries.