PDF added to list of invisible attacks
The hacker responsible for highlighting a number of recent security vulnerabilities has added PDF files to his list of ways to hack Windows PCs.
"Adobe Acrobat/Reader PDF documents can be used to compromise your Windows box. Completely!!! Invisibly and unwillingly!!!," wrote Petko Petkov, in a breathless blog posting. "All it takes is to open a PDF document or stumble across a page which embeds one."
Petkov discovered a recently patched QuickTime flaw that affected the Firefox browser, and earlier this week posted code for exploiting Internet Explorer bugs using Windows Media Player.
UK-based Petkov said he had confirmed the issue on Adobe Reader 8.1 on Windows XP and that other versions may be affected.
The security researcher said he would not release exploit code until PDF maker Adobe develops a patch, but he has already sent other software developers scrambling for bug fixes over the past week.
On 12 September, Petkov reported that attackers could run unauthorised software on a Firefox user's PC by exploiting a flaw in Apple's QuickTime media player. Mozilla offered a partial fix for this problem but said Apple would ultimately have to address the issue in QuickTime itself.
And on Tuesday this week Petkov posted code showing how Windows Media Player files could be used to make web surfers susceptible to Internet Explorer bugs, even if they were running another browser such as Firefox or Opera. Microsoft has said it is investigating this issue.
If Petkov's PDF claims are true, it could be bad news for business users, who are used to opening PDF attachments without thinking twice, said Andrew Storms, director of security operations with nCircle Network Security.
Though some attackers have crafted PDF attacks in recent years, Petkov's code could also be more effective than typical exploits, Storms added.
"Historically, those other exploits have been targeted for specific versions of Adobe Reader," he said via instant message. "According to the information, this affects all versions. It's an inherent architectural problem in the way files are read."
Return to internet news headlines
View Internet News Archive