Abode Reader Vulnerable to XSS Exploit

Stefano Di Paola of WiSec reports on multiple security flaws in Adobe Reader that could be used to launch malicious code or execute a cross-site scripting (XSS) attack. Cross-site scripting allows attackers to run code within the security context of a (presumably) trusted site. Hackers have expressed keen interest in the exploit - which is scarily trivial to render - and security experts such as Ken Dunham of iDefense note that the vulnerability is likely worm-able. Further, Adobe Reader is widely used to view PDF files - most people have it on their system and many may not even remember how it got there - and the flaw impacts all current versions of Firefox and older versions of Internet Explorer (v6.01 and below).

In a post to the Full Disclosure mailing list, Di Paola lavished praise on Adobe for their response, noting, "Adobe did a great job and patched in less than 1 month". Too bad it's not that simple and the praise really isn't deserved.

What Adobe actually did was release an entirely new version (v8), but they don't offer this version through the update feature. If you do try to update version 7, the Adobe updates will only take you as far as version 7.08 - which happens to be susceptible to the vulnerabilities. And Adobe doesn't mention the XSS vulnerabilities on their website, even in the support section, nor give any indication that upgrading to version 8 might be necessary.

To get the fixed version, you have to first know you need to do that (and now you do). Then you need to go to the Adobe website and manually download and install version 8.

Pass the word.