AlbertPacino
Skilled
Adobe quietly releases versions 7.0.1 of its freely distributed programs to patch a local file detection vulnerability
Users of the ubiquitous Adobe Reader and Adobe Acrobat programs are at risk of a local file detection flaw, according to an alert from a private security research outfit.
Adobe Systems Inc. earlier this month sneaked out a fix for the vulnerability and recommended that users upgrade to versions 7.0.1 of the freely available programs.
Hyperdose Security, the company credited with finding and reporting the bug, said an attacker could target the "Safe for Scripting" method in the Adobe programs to direct unsuspecting users to a malicious Web site.
Once the user lands on the malicious site, the attacker can use the "LoadFile" method to send a local file name on the victim's computer. Using this method, the attacker is able to determine file existence on their victim's machine, said Robert Fry, a researcher at Hyperdose Security.
Although the risk is considered low, Fry said the attack would be useful as a stepping stone to further attacks. "Knowing the existence of a local file an attacker can gain knowledge as to the software and likely versions of software the individual is using," he said.
In an advisory confirming Fry's findings, Adobe said the bug affects users running Microsoft Corp.'s Internet Explorer on Windows. "One of the methods exposed by ActiveX in Internet Explorer can be used to trigger a flaw in the Adobe browser control. An attacker would be able to determine what specifically queried files exist on the user's system, although the contents of the file are not accessible," the company said.
However, Adobe said that the impact is minimized due to the fact that the existence of local files can only be discovered if the complete file names and paths are known in advance by the attacker and the recipient is running Internet Explorer.
[RANK="www.eweek.com/article2/0,1759,1789591,00.asp"]Source[/RANK]