EDITORIAL: Adobe Reader rollercoaster slows to a halt

After such headlines as ‘Adobe flaw may be ‘worst’ bug of 2007‘ scarcely a week into the new year, one could perhaps be forgiven for feeling a little nervous. As it turns out however, this latest flaw now seems more like a falling acorn than a piece of sky.

Basically, Adobe’s Reader browser plug-in leaves user systems vulnerable to attack from JavaScript-based malware via cross-site-scripting (XSS). According to a January 8 Computerworld article, ‘…the flaw affects Adobe Reader and Acrobat Versions 7.0.8 and older running in the open-source Firefox browser, and Adobe 6.x and older versions running in Microsoft Corp.’s Internet Explorer.’ An attack exploiting the weakness could be crafted by appending the JavaScript to a Web link to any existing PDF file. Since the danger is in the link rather than the PDF document itself, this method allows even PDFs from trusted sources to be used in this way.

Sounds pretty scary, huh? Well, there are a few reasons that the problem now appears so much less imposing. For a start, the bug only occurs in quite unusual Web browser/PDF viewer combinations. The other point to note is that, due to the rarity of the vulnerable configurations, it’s hardly worth the cost of the instant coffee they’d drink while coding for malicious programmers to write the appropriate malware in the first place.

In any case, the simplest fix for the issue is to upgrade to the latest version of the free Adobe Reader (version 8.x), which does not possess the flaw. Basically, that equates to peace-of-mind at the cost of a little bandwidth. For the users who are particularly attached to their older versions (e.g. those using a full version of Acrobat 7.08 or older), Adobe has pledged to release patches to nix the bug. In the interim, such users can adjust their browser preferences to prevent the Reader plug-in from opening within the browser.

Although the vulnerability is a dangerous one, it is only a potential problem and even then, it can only affect a very small percentage of users. I tend to agree with Duff Johnson that the flaw’s dangers have been much exaggerated, although I wonder if it isn’t more of a case of ‘Chicken-Little-itis’ rather than a deliberate media beat-up.

You May Also Like

About the Author: Dan Shea

Leave a Reply