A significant attack method using links to Web-based PDF files was revealed at a security conference recently. In a paper entitled "Subverting Ajax", Stafano Di Paola and Giorgio Fedon noted the implications of a documented Adobe Acrobat Reader feature.

Acrobat software allows parameters to be passed to the software when opening a PDF file, and this includes opening one from a Web site using a browser. Click here for the documentation for the feature. Parameters may be passed in this form:

http://www.example.com/any.pdf#name=value
The problem is that the software supports passing Javascript in the parameters:
http://www.example.com/any.pdf#attacker_parameter=javascript:alert(Javascript code)
Previously, this sort of "Cross-Site Scripting" (often abbreviated as XSS) has required server-side vulnerabilities and was often difficult to invoke. This exploit can be implemented easily and through proper use of features. It can be delivered through e-mail, instant messaging, and many other vehicles.

It can be blocked in a managed network through filtering at a firewall or IDS/IPS. We have already received notices from gateway security vendors, such as Barracuda Networks, that their products look for and block the attack.

Acrobat and Adobe Reader versions 7 and earlier are affected. Version 8 is not, and Adobe recommends in their advisory on the problem that users upgrade to it. They also state that they are working on a version 7.0.9 to address the issue for users who cannot upgrade to version 8.

Users who wish to work around this problem until Adobe issued fixes can disable PDF opening in the browser. In Internet Explorer (since Windows XP SP2) go to Tools-Internet Options-Programs tab, press the Manage Add-Ons button, select the Adobe PDF Reader from the list, click the Disable radio button and then OK. In Firefox, open the Tools-Options window, the Content tab, click Manage in the File Types section, then for each type opened by Acrobat select Change Action and tell it to open the external application rather than the Acrobat plug-in.

It also appears that some Web browsers are not affected by this problem. All reports indicate that all versions of Mozilla browsers, including the current versions of Firefox, are vulnerable. Internet Explorer 6 SP1 and earlier are definitely vulnerable, but reports on later versions have been inconsistent. Symantec has reported that IE 6 SP2 is affected when run with Acrobat 6, but this combination is not mentioned in their most recent reports. We have seen no reports that Internet Explorer 7 is vulnerable.