- Servers
- Desktops
- Laptops
- Tablet PCs
- PDAs
- Smart phones
- Digital cameras
- Camcorders
- Printers & multifunction devices
- Scanners
- Copiers
- Monitors & projectors
- Hard drives & burners
- Peripherals
- Productivity
- Accounting & finance
- Data management
- Graphics & publishing
- Web publishing
- Operating systems
- Security & utilities
- Downloads & trial software
- Handheld software
- Instant messaging
- Cell phones & plans
- Voice over Internet
- Telephones
- Routers & gateways
- Wireless networking
- Network adapters
- Internet access
- Web hosting
- Domain search
- Hotspot Zone
- Desktops
- Laptops
- Servers and storage
- PDAs
- Cell phones
- Monitors & projectors
- Printers
- Networking and wireless
- Security and utility software
- Productivity software
- Access, hosting, and services
- All business buying guides
Rob Vamosi's
award-winning
column on Internet threats and how to counter them
Delivered Mondays
CNET Security Center: Your complete source of antivirus and Internet security information.
Adobe Reader Open Parameters XSS
A feature called Open Parameters within older versions of the Adobe Reader browser plug-in can be corrupted with malicious content.
By Robert Vamosi (January 3, 2007)
In a conference paper titled
"Subverting Ajax," security researchers Stefano Di Paola and Giorgio Fedon identified multiple cross-site scripting (XSS) vulnerabilities. One flaw in particular, the open parameters vulnerability, is quite easy to execute on vulnerable versions of Adobe Reader. A malicious attack can be carried out by referencing any Web-based PDF file and supplying potentially malicious JavaScript
code as an open parameter to any Web-based PDF file. For example
A feature called Open Parameters within older versions of the Adobe Reader browser plug-in can be corrupted with malicious content.
By Robert Vamosi (January 3, 2007)
QUICK FACTS
Name:Adobe Reader Open Parameters XSS
Date first reported: 1/3/07
Vulnerable software:Adobe Reader plug-in versions 6 and 7 for Mozilla Firefox, Opera, and Microsoft Internet Explorer.
What it does: Could allow denial of service (crash), remote access, and execution of malicious code.
Recommendations: Upgrade to Adobe Reader 8
Exploit code available: Yes
Vendor patch available: Yes
Date first reported: 1/3/07
Vulnerable software:Adobe Reader plug-in versions 6 and 7 for Mozilla Firefox, Opera, and Microsoft Internet Explorer.
What it does: Could allow denial of service (crash), remote access, and execution of malicious code.
Recommendations: Upgrade to Adobe Reader 8
Exploit code available: Yes
Vendor patch available: Yes
http://www.(domain name).com/file.pdf#whatever_name_you_want=javascript:your_code_here
The researchers contacted Adobe in October with their findings and only recently made their work public. Adobe has since released version 8 of Adobe Reader which no longer allows appended JavaScript within site URLs. However, many users continue to use older versions of the Adobe Reader plug-in and should update as soon as possible.
Vendor Patch Information: Adobe Reader 8
Wise Security: Adobe Acrobat Reader Plugin - Multiple Vulnerabilities
Gnucitizen: Danger, Danger, Danger
