McAfee has warned of a vulnerability in Adobe's Reader PDF viewing software that could potentially allow attackers to track the usage of files in unexpected ways.
According to a
blog post made by McAfee's Haifei Li late last week, '
unusual PDF samples' have been detected in the wild, courtesy of a shady email tracking company, which are exploiting a previously unknown flaw in Adobe's Reader software. While not capable of allowing remote code execution - the most serious type of vulnerability - Li claims that the flaw can be used to disclose privileged information on how the document spreads.
'
When a specific PDF JavaScript API is called with the first parameter having a UNC-located resource, Adobe Reader will access that UNC resource,' Li explains. '
However, this action is normally blocked and creates a warning dialogue asking for permission. The danger is that if the second parameter is provided with a special value, it changes the API’s behaviour. In this situation, if the UNC resource exists, we see the warning dialogue. However, if the UNC resource does not exist, the warning dialogue will not appear even though the TCP traffic has already gone.'
The result: an attacker can see when and where the PDF file was opened, even though the security systems built into Reader should have prevented it from making contact with the remote server.
'
Is this a serious problem? No, we don’t want to overvalue the issue,' Li admits. '
However, we do consider this issue a security vulnerability. Considering this, we have reported the issue to Adobe and we are waiting for their confirmation and a future patch. We are also hiding the key details of the vulnerability to protect Reader users.
'Some people might leverage this issue just out of curiosity to know who has opened their PDF documents, but others won’t stop there. An APT [Advanced Persistent Threat] attack usually consists of several sophisticated steps. The first step is often collecting information from the victim; this issue opens the door. Malicious senders could exploit this vulnerability to collect sensitive information such as IP address, Internet service provider, or even the victim’s computing routine. In addition, our analysis suggests that more information could be collected by calling various PDF JavaScript APIs. For example, the document’s location on the system could be obtained by calling the JavaScript “this.path” value.'
The workaround recommended by Li is to disable JavaScript processing in Reader - the same advice that is given every time a new security hole is found in the software. Alternatively, users can try a third-party PDF viewer.
Thus far, Adobe has not issued a statement regarding the flaw, and it is not known whether the company is actively working on a patch for what it will surely view as a relatively low-priority issue.
Want to comment? Please log in.