What makes the two vulnerabilities so dangerous is that neither requires deliberate action by the user. Kierznowski posted his findings to his blog, michaeldaw.org: "The first attack is simple and affects both Adobe Reader and Adobe Professional. It involves adding a malicious link into the PDF document. Once the document is opened, the user's browser is automatically launched and the link is accessed. At this point, it is obvious that any malicious code be launched (sic). It is interesting to note that both Adobe 6 and 7 did not warn me before launching these URLs," he writes.
He explained the second attack in a recent e-mail interview with Brainstorm: "Acrobat Professional supports ADBC (Adobe Database Connectivity). This means it can access databases connected to the user's computer, given they are set up in the Windows ODBC. This [second] attack vector allows an attacker not only to enumerate valid databases, but to execute SQL queries on the backend databases. In other words, internal users opening a backdoor PDF document could potentially be sending and/or modifying databases accessible within the user's circle of trust. This affects Acrobat Professional only," noted Kierznowski.
He also points out that whether or not older versions are affected is a moot point because Adobe supports live update, meaning that most users will be running the latest versions.
Troy Ferraris, CTO of local Adobe partner Egis Software, says the threat is overstated - provided that users already have adequate antivirus and firewall protection in place. He claims that once a user has been redirected, should something happen on that website, the vulnerability is in the browser rather than inside the PDF. He maintains that CIOs and consumers should rather focus on protecting themselves against malicious websites than worrying about links inside documents, whether overt or covert.
And while he is technically correct, Ferraris overlooks the fact that exploit is possible without required user confirmation or authorisation, as Kierznowski notes in his blog. The British researcher explains further: "Acrobat supports multiple security contexts. A PDF launched from the desktop or e-mail will warn the user that the document is trying to access an external resource. However, when a PDF is opened from the browser, the user is not warned because Acrobat adopts the security context of the browser."
As far as the second flaw is concerned, Kierznowski argues that it is limited to Adobe Professional users running on the Windows platform. For users running this combination of products, he offers a temporary fix, available at www.bipin.tk.
Working on it
It also appears Adobe is working on the problem."I have been in close contact [with Adobe] over the past week discussing the issues, possible attack scenarios and solutions. They hope to address the second issue in the upcoming release of Acrobat, version 8. The first issue is a little more complex from a usability perspective. We had a long discussion on this. It is currently still on the dissecting table," Kierznowski reports.
But Ferraris doesn't hold out much hope that a permanent solution will be found for the first backdoor - save forcing the Acrobat browser plug-in to ask for confirmation before executing code. "The more dynamic you make documents, the more susceptible they will be to [external] malicious code," he says.
However, he does suggest the use of digital certificates to verify the authenticity of PDF files. The only problem is that this creates additional complexity - the very thing that the PDF format was designed to eliminate.