Adobe and Netscape patch URI vulnerability

As previously announced, Adobe has released version 8.1.1 of Adobe Reader and Acrobat, in which the handling of URIs and URLs in PDF documents has been revised. Before this release, applications installed on a system could be launched by means of arbitrary parameters when manipulated documents were opened. Attackers may thereby gain control of a computer when a victim opens a PDF file saved on a Web server or sent by e-mail. For the attack to succeed, users do not even need to click on link in the document, which launches the URL itself when loaded because the PDF uses ActionScript.

Updates for Adobe Reader 7.0.9 and Acrobat 7.0.9 are expected to be released later. Adobe recommends that users who cannot switch to version 8.8.1 disable the handling of the mailto URI in the Windows registry. Users can find instructions for this process in Adobe's security advisory. The problem is not, however, limited to mailto URIs; indeed, a URL of the form http:%xx../../../../../../../../../windows/system32/calc.exe".cmd can launch the Windows calculator.

AOL has also reacted, and released version 9.0.0.1 of the Netscape Web browser to patch the URI vulnerability in addition to a number of other flaws. The Netscape browser thus now provides the same security as the current version of Firefox 2.0.0.8.

Of the applications known to be vulnerable, only the Miranda Instant Messenger is still affected. However, the update planned for November's Patch Tuesday for Windows is expected to at least reduce the severity of the problem for Miranda and other applications.

See also:

• Update available for vulnerability in versions 8.1 and earlier of Adobe Reader and Acrobat, security advisory from Adobe
• What's New in Netscape Navigator 9?, security advisory from Netscape
• URI problem also affects Acrobat Reader and Netscape, report by heise Security
• Microsoft says it will patch URI hole in Windows, report by heise Security

(mba)