When Your PDF Reader Turns on You

4:10 PM -- Got Adobe Reader 7.0 or earlier? Then you've got a nasty bug that would make any savvy attacker think it was Christmas all over again.

The latest cross-site scripting flaw find -- yes, XSS is back in the spotlight again -- is in the PDF reader, and the more researchers poke at it, the more they are finding that it could be more deadly than they first thought. As a matter of fact, RSnake, founder of ha.ckers.org, last night demonstrated on the ha.ckers site how this type of XSS attack can infect the browser -- and ultimately read files on the victim's computer. RSnake says it gives an attacker "full access" to your hard drive.

Gulp.

So you're not just susceptible to an attack on Websites with those pretty PDF files, but also to a more severe attack on your own machine. The bug was originally made public at the Chaos Communication Congress, a hacker convention held in Berlin last week.

RSnake explains the problem like this: Because HTML can't access the filesystem, it needs a little helper, such as the QTL file he used in his proof-of-concept that is able to access the "file: directive." The vulnerability can also be used to run JavaScript through a PDF, so the attackers can have a field day with their malware.

This find changed Web app expert Jeremiah Grossman's mind about the bug. Yesterday, Grossman, CTO of White Hat Security, had said the PDF XSS bug didn't really raise the XSS risk level overall. But in light of RSnake's finding, Grossman now considers this "really bad" and worries that it could be used as a payload for attacks much worse than XSS. White Hat customers are already emailing and asking Grossman for help on how to protect themselves from the flaw.

And Grossman says everyone knows the next big malicious XSS attack is coming -- it's just a matter of when and who the target will be.

Meanwhile, Adobe's telling 7.0 users via advisories on its Website to upgrade to Adobe Reader 8.0. But most users don't bother to regularly upgrade Reader, nor do they get automatic updates for it. "The fix won't be fast enough for the devastation that awaits," Grossman says. "The bad guys are likely to be all over this one" soon.

— Kelly Jackson Higgins, Senior Editor, Dark Reading