A new vulnerability in PDF readers is being exploited by ne'er-do-wells - but this one doesn't require JavaScript to be enabled in order to take control of your PC.
According to an article published over on
CNET the new vulnerability was first spotted by
Didier Stevens and further developed by NitroSecurity's Jeremy Conway, who was able to create proof-of-concept code which was able to attack a system simply by fooling a user into accepting a single dialog box following the opening of a malicious PDF.
The attack makes use of the 'incremental update' feature of the PDF standard, and unlike
previous attacks can operate even if the JavaScript engine is disabled in the PDF viewer's options.
The news isn't just bad for Adobe, however - and those who recommend switching to alternatives to Adobe's Reader PDF viewer should take note - as the popular Foxit Reader PDF viewer is also vulnerable to this particular attack. In fact, Stevens explains that "
in this case, Foxit Reader is probably worse than Adobe Reader, because no warning [dialog] gets displayed to prevent the launch action."
So far, neither company has provided a patch to mitigate this particular attack, although both are investigating the issue.
Are you disappointed to see yet another attack against the PDF format, or are you just shocked to see that this time it's not JavaScript related - or limited to Adobe's software? Share your thoughts over in
the forums.
Want to comment? Please log in.