Security Flaw In Reader Plug-in Exposes To Attacks
Reader browser plug-in of Adobe system contains a considerable flaw that attackers can exploit to obtain control of users' computers running Opera and Firefox browsers, reported Symantec on January 3, 2007.
The manner in which the plug-in handles URL parameters known as "Open Parameters" causes the vulnerability. Using Open Parameters in Adobe Reader, a software maker can specify exactly what and how to display a document. Di Paola and Fedon further said in their research paper that the attack that exploits the flaw called universal cross-site scripting uses a problem in the browser instead of flaw within a Web site. In a scripting attack launched across sites unintentional execution of the code takes place within a string of queries that a particular URL may have.
When recipients click on the URL that might be included in the e-mail they receive, they would be led to the specifically crafted web page of a site. If they submit their personal information on a form in the page, that will be transmitted to the remote attacker and the victims will never know that the attacker tampered with the site.
Considering the nature of the problem that the Reader plug-in is encountering at the moment, the two researchers Di Paola & Fedon cautioned, Web 2.0 applications for instance Google Inc.'s Gmail and Google maps, those that employ AJAX, need to tighten their security within Web browsers. If this is not ensured, hackers can turn such applications featuring a wide spectrum of functions into weapons, they wrote.
Related article: Securities Push Up A Must For Web Companies
» SPAMfighter News - 08-01-2007