Adobe confirms 'leaky PDF' flaw, fix due on 14 May

Disable JavaScript in Adobe Reader if you're concerned with leaking your ISP, IP address and computing routine.
Written by Liam Tung, Contributing Writer

Adobe says it will fix a minor "leakage issue" affecting Adobe Reader and Acrobat which is being exploited by email marketers, but could also be used by an attacker to scope out a target before launching a more serious assault.

Researchers at Intel's security firm McAfee last week reported the discovery of a security and privacy issue affecting all versions of Reader after detecting a few suspicious PDF samples.

They found a problem in the way Reader handles certain calls to the JavaScript API which could allow an attacker to send an attack PDF and track who has opened the file.

McAfee said, although the security flaw was not deemed to be serious, it could be used as a reconnaissance tool in a targeted attack. For example, PDFs emailed to victims by an attacker could provide them with the target's IP address, ISP, or computing routine, according to the firm.

The target would need to open a specially-crafted PDF and click on a link within the document to be exposed, Adobe said.

"A user's IP address and timestamp could be exposed when opening a specially crafted PDF and then clicking a URL within that document," Adobe's product security incident response team said on Friday.

Since it's a "low severity" information leaked issue, it will be resolved during Adobe's scheduled update for Acrobat and Reader due on 14 May.

The PDF samples found by McAfee's researchers were being used by an email tracking service provider. McAfee advised users to disable JavaScript in Reader until Adobe made a patch available. 

Although the flaw is technically being used in the wild, it's less severe than the Reader flaws that attackers were exploiting ahead of an emergency patch in February, which could allow them to take over a target's Mac or Windows machine.

Editorial standards