Avoiding the Adobe PDF reader plug-in vulnerability
The bugtraq mailing list has been a-buzz the past few days with the latest vulnerability in the Adobe PDF viewer. A malicious web site can make the Adobe PDF view execute Javascript by simply adding the javascript commands to a URL (Adobe Viewer has it’s own internal Javascript engine, separate from the one in the web browser). The original advisory is published here: Adobe Acrobat Reader Plugin – Multiple Vulnerabilities.
The vulnerability can be used for many evil purposes such as downloading executables, phishing, stealing login credentials. The nasty part is that anyone can attach Javascript to a link to any PDF, even PDF files on other servers, and the Adobe Viewer will happily execute the Javascript as the user. The vulnerability even exists in Adobe Viewer for Linux (not sure about Macintosh). The black hats are going to steal a lot of money using this vulnerability.
One fix is to upgrade the version of PDF Viewer to version 8. However, given the history of Adobe’s PDF viewer I think it’s better to replace it with a viewer not so “feature rich”. The Foxit PDF viewer is not vulnerable to this exploit (though it also has an optional internal Javascript engine) and makes a very good alternative PDF viewer for Windows. A side benefit is the FOxit reader is also much faster.
On my Windows systems I keep both Foxit and Adobe Viewer installed, with the default action for PDF files set to Foxit. That way I can still use Acrobat viewer to open the few PDFs that use special features unique to the Adobe product.
Related posts: