Last week, loud noises began emanating from a variety of online security experts regarding a vulnerability in Adobe’s Reader browser plugin that can allow malicious code to execute on a user’s system via cross-site-scripting (XSS).
The headlines were choice: “Adobe bug may be worst flaw of 2007”, and “Adobe Flaw Means Trusted PDFs May Be Treacherous” are just two examples.
I’m not a security expert, but I know a thing or two about Adobe Acrobat and Reader, and thanks to an earlier career in politics, I know something about the media as well.
My general recommendation for anyone who consumes newspapers, websites or blogs for subjects of any complexity is this: Check in on stories weekly. That way, you’ll get a far more sensible read on the so-called “news” than you will garner from the rankings-adrenaline junkies who dominate the 24 hour news cycle. For me, The Economist is the world’s single finest source of news; in no small part because it is published weekly.
This newest PDF scare is a case in point – the result of parallel mentalities in the computer security and news-gathering worlds: jumping the gun.
Today, we learn that some people were actually bothering themselves to test the original claims over the weekend. The latest headline? “iDefence backtracks on PDF scare”.
Here’s Adobe’s statement, on the subject. They are planning a fix for older versions of Reader. Since the “dangerous” combination of Reader and browser is so inherently unusual anyhow (how many installations of FireFox aren’t automatically updating themselves?), in my view, this “flaw” is close to a nothing-burger, the result of a headline-hungry and woefully incautious computer-security hype-machine.
One other point worth noting. In describing this security problem, Symantec’s Hon Lau makes the following claim:
“What this means, in a nutshell, is that anybody hosting a .pdf file, including well-trusted brands and names on the Web, could have their trust abused and become unwilling partners in crime.”
This is, frankly, nothing more than a cheap grab for headlines, and of course, it worked. Yes, Reader’s XSS flaw requires a link to a real PDF file that exists on the web. It could be any file – which one doesn’t matter. Just because a bad guy may use any PDF on any website as his link-target does not in ANY way implicate the owner of that PDF as an “unwilling partner in crime”! We are discussing fraud, no more, no less – certainly no different than any other fraud committed online. Suggestions to the contrary are unwarranted, inflammatory and unworthy of a respected computer security organization.