Explore the latest news and trends  

Keep yourself up to date with one of the following options:

  • Explore more news around Spam/Phishing, Malware/Cyber-attacks and Antivirus
  • Receive news and special offers from SPAMfighter directly in you inbox.
  • Get free tips and tricks from our blog and improve your security when surfing the net.
  • Go

Security Flaw In Reader Plug-in Exposes To Attacks

Reader browser plug-in of Adobe system contains a considerable flaw that attackers can exploit to obtain control of users' computers running Opera and Firefox browsers, reported Symantec on January 3, 2007.

Stefano Di Paola and Giorgio Fedon first highlighted the problem. The pair of researchers in the last week of December 2006 presented a paper in Berlin discussing security issues involving Web 2.0 technologies such as AJAX (Asynchronous JavaScript and Extensible Markup Language).

Cyber crooks can take advantage of the error in Adobe's Web browser plug-in by opting simultaneously the address of the Web site that hosts an Adobe PDF file, to launch attacks, said Symantec and VeriSign iDefense. The attacker could create apparently trusted links and add malicious JavaScript code that would install itself when a user clicks on the link, they said.

The manner in which the plug-in handles URL parameters known as "Open Parameters" causes the vulnerability. Using Open Parameters in Adobe Reader, a software maker can specify exactly what and how to display a document. Di Paola and Fedon further said in their research paper that the attack that exploits the flaw called universal cross-site scripting uses a problem in the browser instead of flaw within a Web site. In a scripting attack launched across sites unintentional execution of the code takes place within a string of queries that a particular URL may have.

When recipients click on the URL that might be included in the e-mail they receive, they would be led to the specifically crafted web page of a site. If they submit their personal information on a form in the page, that will be transmitted to the remote attacker and the victims will never know that the attacker tampered with the site.

Considering the nature of the problem that the Reader plug-in is encountering at the moment, the two researchers Di Paola & Fedon cautioned, Web 2.0 applications for instance Google Inc.'s Gmail and Google maps, those that employ AJAX, need to tighten their security within Web browsers. If this is not ensured, hackers can turn such applications featuring a wide spectrum of functions into weapons, they wrote.

Related article: Securities Push Up A Must For Web Companies

» SPAMfighter News - 08-01-2007

3 simple steps to update drivers on your Windows PCSlow PC? Optimize your Slow PC with SLOW-PCfighter!Email Cluttered with Spam? Free Spam Filter!

Exchange Anti Spam Filter
Go back to previous page
Next