« Internet Explorer Unsafe for Most of 2006? | Main | Ethical Hacking School in Session »

A number of security experts have recently reported on a major flaw in the Web browser plug-in for Adobe's Acrobat Reader program. The problem was first discovered by researchers Stefano Di Paola and Giorgio Fedon, who presented a paper on security issues related to Web 2.0 technologies such as AJAX (Asynchronous JavaScript and XML).

The issue centers around how Adobe Reader browser plugin can be made to execute JavaScript code on the client side. This code can then be the trigger for any number of malicious activities. A well written, detailed explanation plus code is available here at GnuCitizen.

The use of Javascript in cross site scripting is raising numerous headaches for security managers, especially with phishing attempts. By taking advantage of cross site scripting vulnerabilities, an attacker may launch malicious code referencing a URL that points to a carefully constructed phishing Web page. So for instance, when you're downloading a pdf report at your online broker's webpage, the attacker could take launch a script to throw up what looks like an official, legitimate request to validate your account number and password. That, my friends is what makes this so scary. The self righteous among us may have sneered in disdain at friends and family that fall for the unsophisticated phishing attempts. But this ability to perform highly contextualized phishing will fool any of us.

While you ponder about the possibility of that exposure, make sure you do this - download Acrobat 8.0 which fixes the vulnerability in the first place.

Posted by andreyee in Alerts/Warnings |Digg This|Add to del.icio.us

Trackback Pings

TrackBack URL for this entry:
http://www.ebizq.net/mt/mt-tb.cgi/1169