Adobe late Tuesday released the first set of security patches to address the cross-site scripting vulnerability disclosed by European researchers late last year. The flaw allows Acrobat Reader v.7.0.8 and earlier versions to be exploited by hackers.
The latest version of Acrobat, v.8., released in December, isn’t vulnerable to the cross-site scripting attack. But because researchers Stefano Di Paola and Giorgio Fedon drew attention to the flaw when they presented a paper at a Berlin conference in late December, Adobe has been working to address the problem.
“Adobe strongly urges Adobe Reader users update to the latest version, Reader 8. Adobe Reader 7 users who wish to stay with their current version can follow the instructions outlined in the bulletin,” Adobe advised last night. Adobe also issued recommendations for a server-side workaround for Web site operators.
Adobe labels the cross-site scripting flaw critical, and many security experts say it’s one of the worst security problems they've ever seen given that Adobe Reader is so widely used for viewing PDF files.
“It’s the prevalence of it,” notes Amol Sarwate, manager of vulnerability research at security services firm Qualys. “There’s an Adobe Reader installed on almost every desktop.”
“This is the biggest issue in security I’ve ever seen,” says Danny Allan, director of strategic research at Web application security firm Watchfire. “It’s extremely easy for someone to do this. There’s nothing difficult here.”
An Adobe spokesman says Adobe expects to soon post additional security patches for the cross-site scripting vulnerability for Adobe Reader 6 users.
Learn more about this topicAdobe’s recommendations for Web server operatorsAdobe Reader vulnerable to attacks01/03/07Adobe to issue patches for cross-site scripting vulnerability