Site icon Panda Security Mediacenter

Adobe plugins Vulnerabilities

Stefano Di Paola y Giorgio Fedon have discovered various vulnerabilities in Adobe Acrobar Reader's plugin. They presented them at CCC's Congress with a presentation on Vulnerabilities in Web applications that use AJAX.

The original advisory can be found here.

Among the vulnerabilities found, one has been called "UXSS"(Universal Cross Site Scripting), and it uses a lack of control of the plugin when the "OpenParameters" function is used. This function can be used to set certain characteristics when viewing a PDF document in the URL. The problem arises because it is possible to add javascript code to the URL, and that code will be executed when visiting the url. All this opens a door for phishing attacks.

You can find more information on this vulnerability here.

Affected sistems(known at the moment):
Version 6.0.1 for Windows via Internet Explorer 6
Version 7.0.8 for Windows via Firefox 2.0.0.1.
Other versions may also be affected.

Thanks to Mario Ballano and Pedro Montoya.

Exit mobile version