Opinion: Recent reports of PDF vulnerabilities to hackers are very real, but patching the problem is simple.News of online PDFs' vulnerability to so-called
Universal Cross-Site Scripting (UXSS) attacks via Explorer, Firefox, and Opera should be taken seriously, and IT folks would do well to heed Adobe's advice on protecting their
desktop PCs and
servers.
Left unaddressed, this vulnerability gives hackers the ability to piggyback on any legitimate PDF to access a person's hard drive, or steal cookies in order to obtain sensitive information from otherwise secure sites (like, say, your bank).
Adobe ranks this vulnerability as "Important," one degree shy of "Critical," reserved for problems that expose a user to malicious activity "potentially without a user being aware."
That's the bad news.
The good news? Upgrading to Reader 8 will solve the problem. Those who can't can also download a Reader 7 incremental patch.
Another way to avoid hacker action is to do what I do anyway, which is view downloaded PDFs in something other than your browser. On the PC, I typically choose Acrobat Reader, and on Mac OS I use the built-in Preview utility or Reader for heavy-duty research.
I do this because I find it much easier to move through PDFs—especially lengthy ones—in these utilities. There's also the old-habits-die-hard factor: Back in the days when PDF and the Web were relatively new technologies and download (and processing) speeds were turtle-slow, opening and paging through a document in one's browser could be an all-afternoon affair, especially when a thoughtless PDF author loaded it with fat, print-sized graphics.
So, while the solution is pretty easy for people with half a brain (or IT watchdogs keeping tabs on security issues on behalf of those who don't) this problem's a doozy for Adobe's PR department.
Unlike Microsoft and other vendors whose software took root in the enterprise environment back when Adobe was a lil-ol' graphics software company, Adobe's come through the hacker wars mostly unscathed, if you don't count the e-book thing.
Sure, there have been other less-severe vulnerabilities exposed and patched over the last few years, but none garnered such sky-is-falling statements such as "the ease in which this weakness can be exploited is breathtaking" on the Symantec Security Response Weblog. That doesn't help Adobe among enterprise software buyers.
While the drama might be a little overstated there, it does go to show that the more trust Acrobat and PDF earns for its typically strong security, the more enticing it looks to bad actors out there in the hacker-sphere.
Deep in the bowels of Microsoft's security enclave, someone's probably already said what we're all thinking: Welcome to our world, Adobe.
