Alert over Adobe Acrobat flaw

A security weakness in the ubiquitous Acrobat Reader software could be a boon for cyber crooks, security experts have warned.

An error in the web browser plug-in of Adobe Systems' tool lets cyber crooks co-opt the address of any website that hosts an Adobe PDF file for use in attacks, Symantec and VeriSign iDefense said. An attacker could construct seemingly trusted links and add malicious JavaScript code that will run once the link is clicked, they said.

For example, an attacker could find a PDF file on a bank website and then create a hostile link to that file along with malicious JavaScript, Ken Dunham, director of the Rapid Response Team at VeriSign iDefense, said in a statement.

He said: "This vulnerability makes it possible for cross-site-scripting (XSS) attacks to occur, to steal cookies, session information, or possibly create an XSS worm." XSS attacks put online accounts at risk of hijack and feed information-thieving phishing scams by allowing miscreants to use seemingly trusted links to point to fraudulent websites.

The Adobe vulnerability could spark a rise in XSS attacks, Symantec said. Such attacks in the past relied on flaws in websites but with the Adobe Reader bug there is now a widely used client-side application that allows cross-site-scripting attacks, it said in an alert sent to users of its DeepSight security intelligence service.

Symantec warned: "This development has the potential to significantly change the landscape of conventional cross-site-scripting attacks." The security problem was disclosed at the Chaos Computer Club conference in Germany over the holidays in a paper by Stafano Di Paola and Giorgio Fedon.

To mitigate the new threat, users can upgrade to Adobe Reader 8, the latest version of the Adobe software released last month, the company said in an emailed statement. "Adobe is also working on updates to previous versions that will resolve this issue," it added.

Additionally, users can force PDF files to open in the Acrobat client, not the browser plug-in, Symantec said. VeriSign iDefense suggests removing file type actions within Firefox for PDF, XPDF, FDF and any extension associated with the Adobe Acrobat plug-in.

Joris Evers writes for CNET News.com