|
Critical Security Vulnerability Found in Adobe Acrobat and Reader. |
|
|
Thursday, 04 January 2007 |
|
Adobe announced today that they have identified several "critical vulnerabilities" in Adobe Reader 7.0 through 7.08 and Adobe Acrobat 7.0 through 7.08. This affects many internet users since the Reader plugin is commonly used by internet users to view PDFs in their browser. Note that this vulnerability only affects Windows users using Internet Explorer. It takes advantage of IE's horribly insecure ActiveX scripting facility. Please read the security bulletin for more info on how to secure yourself using Acrobat or Reader. Note that this exploit does not affect Mac users or PC users using Not Using Internet Explorer (ie: Firefox). Adobe recommends upgrading to Acrobat or Reader 8 or wait for the security patch to be released next week.
This vulnerability is classified as Cross Site Scripting (XSS) and how it works is simple. To expose yourself to this vulnerability, you must first download a malicious PDF file and have it open inside of Internet Explorer via the browser plugin (a common setup). If you click on a url link inside of the exploited PDF file Internet Explorer will open a javascript file from another website that will allow the hacker to seize control of your computer. Meaning they will usually upload malicious software to your computer (ie: trojan or worm) thus compromising it. Hackers will usually go right after your IE password file that holds all your logins and passwords, your history file so they know where you go to login and any Quicken, Quickbooks or MS Money files. All without you even knowing. They can then insert keystroke logging software on your PC in hopes of intercepting your online banking logins.
The super jaded part of me thinks it's amazing that this exploit comes to light as Adobe is starting to sell Acrobat 8 (a paid upgrade); but it could just be a coincidence.
Internet Security Tips:1. Don't use Internet Explorer. I don't care if it's IE7. IE (all versions) is waaay to vulnerable to hacking and when you add to the fact that it is hardwired into the core of the Windows operating system you are opening yourself up to continuous vulnerabilities.
2. Keep Windows, IE and any and all programs using plugins within IE, UPDATED! Use Windows auto update feature for convenience sake.
3. Use and keep your Anti-Virus, Ant-Spyware, Anti-Malware updated. Yes, pay the annual fee.
4. NEVER store login passwords using the browser's "do you want to remember" dialog box on a PC. These password files are not encrypted and so easy to steal if you get hacked.
5. Buy a Mac. - seriously the amount of time I spend administering and worrying about security procedures is 1/10th the time on a Mac than on a PC. I'm man old school PC guy that is now "cross-platform" and Macs have PCs beat hands down in all areas. 'nuff said.
|
