Adobe PDF flaw more dangerous than predicted

A recently discovered vulnerability in Adobe's Acrobat Reader is more dangerous than first thought, security experts warn.

Detected earlier this week, the flaw in the web browser plug-in of the Adobe software allows malicious users to construct the web address of any site that hosts an Adobe PDF file and use it in hacking attacks. An attacker could construct seemingly trusted links and add malicious JavaScript code that will run once the link is clicked, security professionals said.

However, experts now believe that cyber criminals could exploit the vulnerability to steal information directly from the user's hard drive. "This means any JavaScript can access the user's local machine," said Billy Hoffman, lead engineer at SPI Dynamics in a statement. "Depending on the browser, this means the JavaScript can read the user's files, delete them, execute programs, send the contents to the attacker, etc. This is much worse than an attack in the remote zone."

According to Adobe this vulnerability does not affect Acrobat 8 or Adobe Reader 8. The software company vowed to release patches next week for the flaw in the previous versions.

An Adobe spokesperson said in a statement: "Adobe is aware of a recent cross-site scripting vulnerability in versions 7.0.8 and earlier of Adobe Reader and Adobe Acrobat that could allow remote attackers to inject arbitrary JavaScript into a browser session.

"This is not a vulnerability in PDF. Specifically, this issue could occur when a user clicks on a malicious link to a PDF on the web."

Sign up to our newsletters