Adobe confirms 'leaky PDF' flaw, fix due on 14 May

Summary:Disable JavaScript in Adobe Reader if you're concerned with leaking your ISP, IP address and computing routine.

Adobe says it will fix a minor "leakage issue" affecting Adobe Reader and Acrobat which is being exploited by email marketers, but could also be used by an attacker to scope out a target before launching a more serious assault.

Researchers at Intel's security firm McAfee last week reported the discovery of a security and privacy issue affecting all versions of Reader after detecting a few suspicious PDF samples.

They found a problem in the way Reader handles certain calls to the JavaScript API which could allow an attacker to send an attack PDF and track who has opened the file.

McAfee said, although the security flaw was not deemed to be serious, it could be used as a reconnaissance tool in a targeted attack. For example, PDFs emailed to victims by an attacker could provide them with the target's IP address, ISP, or computing routine, according to the firm.

The target would need to open a specially-crafted PDF and click on a link within the document to be exposed, Adobe said.

"A user's IP address and timestamp could be exposed when opening a specially crafted PDF and then clicking a URL within that document," Adobe's product security incident response team said on Friday.

Since it's a "low severity" information leaked issue, it will be resolved during Adobe's scheduled update for Acrobat and Reader due on 14 May.

The PDF samples found by McAfee's researchers were being used by an email tracking service provider. McAfee advised users to disable JavaScript in Reader until Adobe made a patch available. 

Although the flaw is technically being used in the wild, it's less severe than the Reader flaws that attackers were exploiting ahead of an emergency patch in February, which could allow them to take over a target's Mac or Windows machine.

Topics: Security


Liam Tung is an Australian business technology journalist living a few too many Swedish miles north of Stockholm for his liking. He gained a bachelors degree in economics and arts (cultural studies) at Sydney's Macquarie University, but hacked (without Norse or malicious code for that matter) his way into a career as an enterprise tech, s... Full Bio

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Related Stories

The best of ZDNet, delivered

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.