Friday, September 15, 2006

Are you Using PDF? Then close these Backdoors!

One reason I an still stuck on Acrobat 5.0 is as versions went up Adobe products became too snoopy like and started to snoop into users affairs. There are enough Open Source PDF utilities that I rarely use Adobe Acrobat.
But this is not to say how I utilize Acrobat but to inform that there are multiple vulnerabilities on Adobe PDF, not bugs but legitimate features could be used as backdoors in to a system.
I learned this via /. And ended up on eWeek site. According to the article, A British security researcher has figured out a way to manipulate legitimate features in Adobe PDF files to open back doors for computer attacks. Then I ended up at a blog entry that provides proof of concept ideas and demos. I did try them and they do what they say at least for one demo. My security stopped the other!
The first back door (PDF), which eWEEK confirmed on a fully patched version of Adobe Reader, involves adding a malicious link to a PDF file. Once the document is opened, the targets browser is automatically launched and loads the embedded link.
A second back door demo (harmless) (PDF) presents an attack scenario that uses Adobe Systems' ADBC (Adobe Database Connectivity) and Web Services support. Kierznowski said the back door can be used to exploit a fully patched version of Adobe Professional.
"The second attack accesses the Windows ODBC (on localhost), enumerates available databases and then sends this information to 'localhost' via the Web service. This attack could be expanded to perform actual database queries. Imagine attackers accessing your internal databases via a user's Web browser," David Kierznowski said.

In response, A spokesperson from Adobe's product security incident response team said the company is aware of Kierznowski's discovery and is "actively investigating" the issue.
Then why did you not fix the issues? Or did you just let it be?
"If Adobe confirms that a vulnerability might affect one of our products, details of the security vulnerability and an appropriate solution [will be] documented and published," the company, headquartered in San Jose, Calif., said in a statement sent to eWEEK.

No comments: