Adobe is planning to patch a fairly low severity security vulnerability in all of the current versions of Reader and Acrobat that could enable an attacker to track which users have opened a certain PDF document. The vulnerability can’t be used for code execution, but researchers say it could be used as part of a larger attack.
The vulnerability was discovered and disclosed in late April by researchers at McAfee, who had been watching the behavior of some odd PDF samples in recent weeks. They noticed that all of the samples had a similar, weird characteristic, leading them to investigate and discover the vulnerability.
“Recently, we detected some unusual PDF samples. After some investigation, we successfully identified that the samples are exploiting an unpatched security issue in every version of Adobe Reader including the latest ‘sandboxed’ Reader XI (11.0.2). Although the issue is not a serious problem (such as allowing code execution), it does let people track the usage of a PDF. Specifically, it allows the sender to see when and where the PDF is opened,” Haifei Li of McAfee wrote.
“When a specific PDF JavaScript API is called with the first parameter having a UNC-located resource, Adobe Reader will access that UNC resource. However, this action is normally blocked and creates a warning dialog asking for permission…The danger is that if the second parameter is provided with a special value, it changes the API’s behavior. In this situation, if the UNC resource exists, we see the warning dialog. However, if the UNC resource does not exist, the warning dialog will not appear even though the TCP traffic has already gone.”
Adobe on Thursday acknowledged the issue and said that it will patch the vulnerability in its next scheduled Reader update on May 14. Although neither McAfee nor Adobe consider the vulnerability to be serious, Li said that it could be used as one piece of a larger attack, as a method of gathering some intelligence on a target.
“Malicious senders could exploit this vulnerability to collect sensitive information such as IP address, Internet service provider, or even the victim’s computing routine. In addition, our analysis suggests that more information could be collected by calling various PDF JavaScript APIs. For example, the document’s location on the system could be obtained by calling the JavaScript “this.path” value,” Li wrote.