CERT, Adobe address PDF reader vulnerability

The CERT Coordination Center issued a vulnerability note Wednesday for a problem affecting Portable Document Format (PDF) readers for the Unix and Linux platforms, less than a week after the information was leaked to the Internet.

The CERT Vulnerability Note describes a problem with the way some Unix PDF reader programs handle hyperlinks embedded within PDF documents.

In retrieving the content pointed to by those links, some PDF readers launch external programs by invoking the Unix shell (sh) command interpreter.

In some cases, an attacker could use malicious instructions embedded in the hyperlink to compromise the victim’s computer, CERT said.

On June 13, an individual using the name “hack4life” posted leaked information on the same vulnerability to the online discussion list Full-Disclosure.

The information was taken from a communication sent from CERT to software vendors affected by the PDF problem, according to CERT.

In an e-mail, hack4life said that the intercepted communication indicated that CERT was planning to release the Vulnerability Note on Monday, June 23.

With the unauthorized release of information on the PDF reader flaw, however, CERT saw little reason to hold on to the vulnerability note until Monday, according to Shawn Hernan, a member of the CERT technical team.

“We certainly aren’t going to pretend that the information isn’t public,” Hernan said.

CERT communicated with software vendors affected by the problem to get up-to-date information on the organizations’ exposure to the vulnerability and the availability of software patches, then released its Vulnerability Note on Wednesday, Hernan said.

CERT’s list of affected software vendors includes companies that make PDF readers for Unix as well as software manufacturers who bundle PDF reader technology with their own products, he said.

Most of those vendors have not indicated to CERT whether their products are vulnerable. However, leading makers of PDF readers have responded.

Adobe Systems issued a statement to CERT noting the availability of an updated version of its Acrobat Reader software for the Linux, Solaris, HP/UX and AIX operating systems that addresses the security hole.

The Xpdf project, an open source group that manages the Xpdf reader, issued a statement to CERT as well, with a link to a patch for that product.

Hernan said CERT is confident that the information is being leaked from one of the software vendors with which it shares confidential vulnerability data prior to making an announcement, rather than from within CERT.

The vulnerability data could come from an insider on a development team that is privy to the information, or from a hacker who has compromised the security of the vendor’s network, Hernan said.

“The real story is: ‘What vendor out there has this compromise?’ ” Hernan said.

CERT takes the information leak very seriously and is working with software vendors to find the source of the leak and to review the internal controls on CERT vulnerability information, he said.