A security researcher claims it is possible to install malicious code on a user's computer through standard Adobe Reader features.
David Kierznowski has published proof of concept documents for exploiting the ubiquitous software that are not traditional software code flaws, but instead demonstrate a new trend affecting desktop applications - the use of legitimate features for dangerous ends.
Last week, a US government research body found that attacks using cross-site scripting or Web-oriented scripting languages had become more prevalent than the more traditional buffer overflows, which affect desktop application code.
The first attack, found here, adds a malicious link into a PDF document. "Once the document is opened, the user’s browser is automatically launched and the link is accessed," wrote Kierznowski. "At this point it is obvious that any malicious code be launched."
The document works equally well with fully-patched versions of Adobe Reader on Windows or Mac OS X. It doesn't affect other PDF readers, such as Foxit or Mac OS X's Preview. Testers also noted that if the test document is launched from the desktop, it warns the user before opening the link, while if launched from the Web there's no warning. "Both Adobe 6 and 7 did not warn me before launching these URLs," Kierznowski wrote.
The second attack uses Adobe's Adobe Database Connectivity (ADBC) and Web Services support, accessing the Windows ODBC, enumerating available databases and then sending the information to "localhost" via the Web service. The test is found here.
Kierznowski said that because of the nature of the attack, using legitimate features, it was likely that similar exploits were likely to be possible using Adobe Reader's support for HTML forms, file system access and other features. "I am sure with a bit more creativity even simpler and/or more advanced attacks could be put together," he wrote.
Just today, Adobe released Acrobat 8 and integrated it with its upgraded Creative Suite 2.3 Premium. The company said Acrobat 8 Professional will be available for Windows and Macintosh, with Acrobat 8 Standard for Windows, from November, in English, French, German, and Japanese.