Posted by MikeC/NY on 1/4/07 6:53pm
Msg #169221
Heads up on PDF files
Just saw this news item today from AP. It's unlikely to be an issue with PDFs you access for loan docs, but if you spend any time surfing the Web you may run into this. The problem is not with Reader, it's with web browsers that allow you to open a PDF within the browser.
Best advice - if you use IE, upgrade to IE 7; if you use Firefox, disable the Adobe plugin and force all PDFs to open in Reader rather than in the web browser. If anyone needs help configuring Firefox properly, give me a shout - the configuration option is not immediately obvious. I know there's a way to disable the plugin in IE 6, but I'm not sure exactly how to do it because I rarely use IE.
************************
Researchers: Adobe's PDF Software Flawed
Jan 3, 11:49 PM (ET)
By JORDAN ROBERTSON
SAN FRANCISCO (AP) - Computer security researchers said Wednesday they have discovered a vulnerability in Adobe Systems Inc. (ADBE)'s ubiquitous Acrobat Reader software that allows cyber-intruders to attack personal computers through trusted Web links.
Virtually any Web site hosting Portable Document Format, or PDF, files are vulnerable to attack, according to researchers from Symantec Corp. (SYMC) and VeriSign Inc.'s iDefense Intelligence.
The attacks could range from stealing cookies that track a user's Web browsing history to the creation of harmful worms, the researchers said.
The flaw, first revealed at a hacker conference in Germany over the holidays, exists in a plug-in that enables Acrobat users to view PDF files within Web browsers.
By manipulating the Web links to those documents, hackers and online thieves are able to commandeer the Acrobat software and run malicious code when users attempt to open the files, according to Ken Dunham, director of the rapid response team at VeriSign's iDefense Intelligence.
Dunham gave this hypothetical scenario: an attacker finds a PDF file on a banking Web site. The attacker creates a hostile Web site that links to the bank's PDF file. Included is malicious JavaScript code that will run on the unsuspecting user's computer once the link is clicked.
"PDF is trusted and tried and true - everyone uses it," Dunham said. "But instead of just viewing the file, you've initiated script that shouldn't be executed. All you have to do is click on the PDF and the ball starts rolling."
Representatives from Adobe did not return a call from The Associated Press on Wednesday night.
The flaw appears to target Microsoft Corp. (MSFT)'s Internet Explorer 6.0 Web browser and earlier versions, and Mozilla's Firefox browser, the researchers said.
They recommended that users protect themselves by upgrading Internet Explorer or changing Firefox's user options so the browser does not use the Acrobat plug-in.
Researchers said it's unclear how pervasive or harmful any future attacks might be.
"Given that it is easy to exploit, I would expect that we will see this method used considerably in the coming days and weeks, until it is resolved," a Symantec researcher said in a posting on a company Web log.
|
Reply by Glenn Strickler on 1/4/07 7:27pm
Msg #169225
Thanks for the info ...
Years ago, I was advised by a person who works for Norton to download pdf's to the desktop, then open them with the reader when you are not connected to the internet. I never thought too much about it and frequently let i them open in the browser. Your post was a reminder that I need to go back to doing that. Unfortunately there are millions of hacks trying to break into computers worldwide. Problems will never go away ..
|
Reply by Susan Fischer on 1/4/07 8:18pm
Msg #169251
Low Tech Q: When I open a PDF file in an email in my
Inbox, I'm not in my browser, correct?
|
Reply by MikeC/NY on 1/4/07 8:38pm
Msg #169261
Re: Low Tech Q: When I open a PDF file in an email in my
Correct - according to what I've read the problem only occurs when you're in your web browser; emailed attachments are not at risk. For now, the best advice is to either download the PDF to your desktop or configure your browser to launch Reader to open the file.
|
Reply by Susan Fischer on 1/4/07 10:57pm
Msg #169297
Thanks, Mike. n/m
|
Reply by Glenn Strickler on 1/5/07 12:38am
Msg #169312
But if you are using a web based email such as Yahoo
Gmail and open the attachment, the browser is open. Adobe needs to be used as a stand alone program, not a plug in, right?
|
Reply by MikeC/NY on 1/5/07 8:11am
Msg #169338
Re: But if you are using a web based email such as Yahoo
You're right - I wasn't thinking of web-based email. Thanks for the catch.
|
Reply by MikeC/NY on 1/4/07 8:27pm
Msg #169253
Re: Thanks for the info ...
I've always though that if the folks doing the hacking would turn their time and talents to creating or fixing software instead of exploiting the flaws, we'd have better software at lower prices. Ain't gonna happen anytime soon, unfortunately...
|
Reply by ZeeCA on 1/4/07 9:07pm
Msg #169270
Re: Thanks for the info ...
they create the prob and then a lot of em are hired guns to "fix the the prb" no win situation... they do this w/ spam to get around spam blockers then design the new and improved.....
|
Reply by Genkichan on 1/4/07 8:29pm
Msg #169255
I ran into this a couple days ago...I opened a pdf from a lender's website and tried to print the pdf directly. Caused all sorts of slowdowns and delays in printing. I then saved the pdf to my desktop, and re-opened the doc. Printed just fine at that point...
|
Reply by ZeeCA on 1/4/07 9:13pm
Msg #169274
but....
how do you open it and save to desktop when to get it you have to click on the icon? or is it if you just print from the site?
low tech here
tia
|
Reply by Ndwa on 1/4/07 9:18pm
Msg #169276
Re: but....
You can right click on the link and save as a target instead of open the file directly.
|
Reply by ZeeCA on 1/4/07 9:29pm
Msg #169277
Re: but.... THX! n/m
|
Reply by BrendaTx on 1/4/07 9:39pm
Msg #169279
Re: Heads up on PDF files - thanks Mike! n/m
|
