Acrobat flaw threatens both Firefox and IE browsers

by John McCormick | Jan 08, 2007 9:55:00 PM

Tags: Web browsers, SECURITY, John McCormick, Mozilla Firefox, Acrobat flaw, OpenOffice buffer-overflow vulnerability, Web browser, vulnerability, Microsoft Internet Explorer, OpenOffice, OpenOffice.org, buffer-overflow, Apple QuickTime, Adobe Acrobat, IT Locksmith Newsletter

Takeaway: While initially thought to only cause exposure to random code on Web sites, an Adobe Acrobat Reader flaw can also expose the contents of a user's local hard drive to hackers. Get the details in this edition of the IT Locksmith, and get the best of the rest of recent security news.

This week, a PDF browser plug-in exposes hard drive contents, the Opera browser carries a JPEG threat, and OpenOffice.org patches a major threat.

Details

A recent conference of the Chaos Computer Club hacker group in Germany included a discussion of an Adobe Acrobat Reader flaw that affects both Firefox and Internet Explorer browsers. While initially thought to only cause exposure to random code on Web sites, the vulnerability can also expose the contents of a user's local hard drive to hackers. To address the problem, upgrade to Adobe Reader 8 immediately.

In other browser news, Opera users need to update to version 9.10 in order to eliminate two threats. The first threat is a vulnerability in createSVGTransformFromMatrix (JavaScript/SVG), which can allow execution of arbitrary code on the vulnerable system. (Disable JavaScript as a temporary fix.) The second threat involves both a denial-of-service threat and an arbitrary code execution threat caused by a malformed JPEG file header.

Meanwhile, hackers can take advantage of an Apple QuickTime 7.x buffer overflow threat to compromise user systems. According to Secunia, this doesn't just affect Windows—it also affects Mac OS X platforms. US-CERT Vulnerability Note VU#442497 offers more details about this vulnerability, including a detailed workaround for disabling the vulnerable QuickTime ActiveX controls in the Windows registry as well as disabling the QuickTime plug-in in Mozilla-based browsers.

An OpenOffice buffer overflow vulnerability has also surfaced, as reported in Vulnerability Note VU#220288 (CVE-2006-5870). Because of a buffer overflow in the way the software handles Windows Metafile (WMF) vector graphics files as well as the Enhanced Metafile (EMF) files used by 32-bit systems, the threat can allow an attacker to run arbitrary code.

This threat affects OpenOffice versions earlier than 2.0.4. OpenOffice.org recommends updating with the patch provided on its OpenOffice.org Issue 70042 Web page. The vulnerability doesn't affect OpenOffice version 2.1.

Final word

I hope everyone survived the holidays. Here at the ranch, I had a minor adventure with Microsoft's latest operating system—get my take in this blog post.

---

Also watch for…

• This week marks the first Patch Tuesday of 2007, and Microsoft has announced that it will issue only half of the security bulletins originally planned. Tune in next week to get the details on January's security updates.
• Look for some important Wi-Fi security news from this week's Consumer Electronics Show in Las Vegas. Rumor has it that the Wi-Fi Alliance is going to announce a new process that will make it easier to configure secure Wi-Fi access.
• UNIX security threat levels are relatively low this week. Most news relating to patches from SuSE, Ubuntu , Gentoo, Fedora, and Red Hat deal with the Mozilla and OpenOffice threats.

---

Miss a column?

Check out the IT Locksmith Archive, and catch up on the most recent editions of John McCormick's column.

Want to stay on top of the latest security updates? Automatically sign up for our free IT Locksmith newsletter, delivered each Tuesday!

John McCormick is a security consultant and well-known author in the field of IT, with more than 17,000 published articles. He has written the IT Locksmith column for TechRepublic for more than four years.

Print/View all Posts Comments on this article

Dropped Patches? Tech Locksmith | 01/09/07

Acrobat Reader 7 and the upgrade. michael.burgess@... | 01/11/07

Abobe upgrades The Admiral | 01/12/07

Fix... Lost Cause? | 01/12/07

With Microsoft - YES wojnar@... | 01/11/07

Anti-MS Tripe Aside... FBuchan | 01/11/07

yup I can think of one good reason. Jaqui | 01/12/07

acrobat 8! sha!! inertman@... | 01/11/07

Acrobat Reader 8 Lost Cause? | 01/11/07

Who needs Acrobat? mrkahatr | 01/11/07

What free FTP programs? depriest3@... | 01/11/07

Free PDF and Free FTP mrkahatr | 01/12/07

Other PDF readers affected? MiddleAgedNewbie | 01/11/07

That's the problem with freeware Tech Locksmith | 01/12/07

On the other hand Dr Dij | 01/12/07

Question about Acrobat Reader 7 flaw RknRlKid | 01/11/07

sounds like Adobe has released 7.09 update for this ttocsmij | 01/12/07

Confusing information frank_s | 01/11/07

FUD - no ActiveX on OSX dlmeyer@... | 01/11/07

Liars and naifs? Not necessarily Tech Locksmith | 01/12/07

disable activex in windows? Jaqui | 01/12/07

while we were discussing it ... ttocsmij | 01/12/07

My serious problem with reader 8 Dr Dij | 01/12/07

As I mentioned in the thread last week about this Jaqui | 01/12/07