CERT and Adobe plug PDF reader vulnerability

The CERT Co-ordination Centre has issued a vulnerability notice for a problem affecting Portable Document Format (PDF) readers...

The CERT Co-ordination Centre has issued a vulnerability notice for a problem affecting Portable Document Format (PDF) readers for the Unix and Linux platforms, less than a week after the information was leaked to the internet.

The CERT vulnerability note, VU#200132, describes a problem with the way some Unix PDF reader programs handle hyperlinks embedded within PDF documents.

In retrieving the content pointed to by those links, some PDF readers launch external programs by invoking the Unix shell command interpreter.

In some cases, an attacker could use malicious instructions embedded in the hyperlink to compromise the victim's computer, CERT said.

On 13 June, an individual using the name "hack4life" posted leaked information on the same vulnerability to the online discussion list Full-Disclosure.

The information was taken from a communication sent from CERT to software suppliers affected by the PDF problem, according to CERT.

In an e-mail, hack4life said that the intercepted communication indicated that CERT was planning to release the vulnerability note on Monday 23 June.

With the unauthorised release of information on the PDF reader flaw, however, CERT brought forward publication of the vulnerability notice, according to Shawn Hernan, a member of the CERT technical team.

"We certainly aren't going to pretend that the information isn't public," Hernan said.

CERT's list of affected software suppliers includes companies that make PDF readers for Unix as well as software manufacturers who bundle PDF reader technology with their own products, he said.

Most of those suppliers have not indicated to CERT whether their products are vulnerable. However, leading makers of PDF readers have responded.

Adobe Systems issued a statement to CERT noting the availability of an updated version of its Acrobat Reader software for the Linux, Solaris, HP/UX and AIX operating systems that addresses the security hole.

The Xpdf project, an open source group that manages the Xpdf reader issued a statement to CERT, as well, with a link to a patch for that product.

Hernan said that CERT was confident that the information was being leaked from one of the software suppliers with which it shares confidential vulnerability data prior to making an announcement, rather than from within CERT.

The leak could come from an insider on a development team that is privy to the information, or from a hacker who has compromised the security of the supplier's network, Hernan said.

Paul Roberts writes for IDG News Service

Read more on IT risk management