The CERT Co-ordination Centre has issued a vulnerability
notice for a problem affecting Portable Document Format (PDF)
readers for the Unix and Linux platforms, less than a week after
the information was leaked to the internet.The CERT vulnerability note,
VU#200132,
describes a problem with the way some Unix PDF reader programs
handle hyperlinks embedded within PDF documents.
In retrieving the content pointed to by those
links, some PDF readers launch external programs by invoking the
Unix shell command interpreter.
In some cases, an attacker could use malicious
instructions embedded in the hyperlink to compromise the victim's
computer, CERT said.
On 13 June, an individual using the name
"hack4life" posted leaked information on the same vulnerability to
the online discussion list Full-Disclosure.
The information was taken from a communication
sent from CERT to software suppliers affected by the PDF problem,
according to CERT.
In an e-mail, hack4life said that the
intercepted communication indicated that CERT was planning to
release the vulnerability note on Monday 23 June.
With the unauthorised release of information
on the PDF reader flaw, however, CERT brought forward publication
of the vulnerability notice, according to Shawn Hernan, a member of
the CERT technical team.
"We certainly aren't going to pretend that the
information isn't public," Hernan said.
CERT's list of affected software suppliers
includes companies that make PDF readers for Unix as well as
software manufacturers who bundle PDF reader technology with their
own products, he said.
Most of those suppliers have not indicated to
CERT whether their products are vulnerable. However, leading makers
of PDF readers have responded.
Adobe Systems issued a statement to CERT
noting the availability of an updated version of its Acrobat Reader
software for the Linux, Solaris, HP/UX and AIX operating systems
that addresses the security hole.
The Xpdf project, an open source group that
manages the Xpdf reader issued a statement to CERT, as well, with a
link to a patch for that product.
Hernan said that CERT was confident that the
information was being leaked from one of the software suppliers
with which it shares confidential vulnerability data prior to
making an announcement, rather than from within CERT.
The leak could come from an insider on a
development team that is privy to the information, or from a hacker
who has compromised the security of the supplier's network, Hernan
said.
Paul Robertswrites for IDG News Service