Hacker exposes Linux/PDF flaw

Confidential vulnerability information managed by the CERT Co-ordination Centre has again been leaked to the public, following a...

Confidential vulnerability information managed by the CERT Co-ordination Centre has again been leaked to the public, following a flurry of such leaks in March.

The latest information concerns a flaw in PDF readers for Unix and could allow a remote attacker to trick users into executing malicious code on their machines, according to reports. 

As with confidential CERT information that was leaked in March, the latest report was posted to a vulnerability discussion list by an individual using the name "hack4life".

The leaked information was taken from communication sent from CERT to software suppliers affected by the PDF problem, according to Jeffrey Carpenter, manager of the CERT Co-ordination Centre.

The information appears to be from a vulnerability report submitted to CERT by security researcher, Martyn Gilmore.

In the report, Gilmore described a problem in the way that PDF viewing programs for the Unix platform process hyperlinks within valid PDF documents.

When processing hyperlinks, common PDF readers use the Unix "shell" command to launch and pass commands to external programs. For example, clicking on a hyperlink for a web page would launch the associated web browser, according to the report. 

However, Gilmore found that such programs do not properly check the syntax of such commands, enabling arbitrary shell commands to be executed on the vulnerable machine.

While attackers are limited by the privilege level of the user clicking the malicious link, the vulnerability could enable a remote attacker to use shell commands to delete files from the user's hard drive or perform other actions without the knowledge of the victim, the report said.

Adobe Systems' Acrobat Reader 5.06 is affected by the problem in addition to the open-source reader Xpdf 1.01.

The vulnerability information was scheduled to be released by CERT on 23 June.

In March, someone using the same name posted information on four vulnerabilities that CERT was investigating to the vulnerability discussion list Full-Disclosure.

Those posts included sensitive information on a vulnerability in the Kerberos Version 4 protocol and a problem reported by Microsoft regarding spammers' abuse of web redirectors, which forward users of web portals such as MSN IP addresses close to their geographic location.

At the time, CERT officials cast doubt on hack4life's assertion that the reports were hacked, saying that the information was most likely leaked by a member of one of the development teams CERT works with to evaluate vulnerabilities.

The latest incident reaffirms CERT's belief that the problem lies with its suppliers rather than with its own systems, Carpenter said. While CERT does not yet know which supplier is responsible for the leak, the organisation is confident that an insider threat or compromise at one of the companies it deals with is responsible for the leaks.

CERT is communicating with suppliers about the problem, but Carpenter would not comment on whether CERT is working with law enforcement to catch the person responsible for the leaks.

Paul Roberts writes for IDG News Service

Read more on IT risk management