Acrobat Reader flaw opens web sites to XSS attacks

A security weakness in the Acrobat Reader software could spark a rise in Web-based attacks, silicon.com reports.

An error in the Web browser plug-in of Adobe Systems’ tool lets cyber crooks co-opt the address of any Web site that hosts an Adobe PDF file for use in attacks, security experts have warned. An attacker could construct seemingly trusted links and add malicious JavaScript code that will run once the link is clicked.
For example, an attacker could find a PDF file on a bank Web site and then create a hostile link to that file along with malicious JavaScript.

“This vulnerability makes it possible for cross-site-scripting (XSS) attacks to occur, to steal cookies, session information, or possibly create an XSS worm,” one expert said.

XSS attacks put online accounts at risk of hijack and feed information-thieving phishing scams by allowing miscreants to use seemingly trusted links to point to fraudulent Web sites.

To mitigate the new threat, users can upgrade to Adobe Reader 8, the latest version of the Adobe software released last month. Additionally, users can force PDF files to open in the Acrobat client, not the browser plug-in.