PDF files can be as rich in interactivity as web pages. For example, a well-designed PDF ebook allows you to click from the table of contents to the page you want, or it can be used to open a website. Unfortunately, interactivity has a price: it can also be used to attack your system.
"Mailto:" Can Receive Too: How About Some Malware?
A "Mailto:" link in a PDF page is supposed to launch your system's default email client, but UK-based Web vulnerability expert Petko Petkov, who blogs at gnucitizen.org as 'PDP', recently discovered a big flaw in the combination of Abobe Acrobat or Adobe Reader (8.1 and all earlier versions) and Internet Explorer 7 on Windows XP. With this combination, a "Mailto: link can actually be used to download and install malware. According to Petkov, you don't even need to click on a Mailto: link in an affected document to be infected.
PDF Vulnerability Hits a Popular Combination
How big a deal is this? Think about how often you open a PDF file from the web or in email: for some of us, it's probably several times a day. Combine that with the widespread use of IE7 on Windows XP (this time, Windows Vista users ducked the bullet), and it's a very big, very bad deal for PC users in home and at the office.
Most of us don't think about PDF being anything other than a convenient way to send images or documents, but this vulnerability reminds us that any file format with interactive features is a two-edged sword.
Adobe has rolled out a two-stage response to this vulnerability. Right now, the company is recommending a change to the Registry to disable Mailto:. The Adobe advisory specifically details changes only only for Windows XP systems running Acrobat and Reader versions 8.1, although all previous versions are also affected. Adobe expects to have patches available by the end of October.
The Blame Game, Again - But Microsoft Fesses Up
Whose fault is this particular vulnerability? Abobe's? Microsoft's? After some initial fingerpointing, Microsoft has now admitted that IE7 in both Windows XP and Windows Server 2003 has a problem handling threats concealed in URLs and URIs such as "mailto:" A security update is coming, but isn't available yet. Keep your eye on Knowledge Base article 943521 for updates.
It's interesting that the problem is not IE7 per se, but the combination of IE7 with Windows XP or Windows Server 2003. It's clear that something went wrong when IE7 was ported from Windows Vista to Windows XP/Server 2003 (if you're still using IE 6, you're safe from this threat).
If you're accustomed to mindlessly opening PDF files whatever their source, stop and think. If you get an unsolicited PDF in your email, or you're asked to click a link in a PDF or open an attachment by an unfamiliar source - don't do it. If you use IE7 with Windows XP and either Adobe product, make the registry change - today. Grab the Abobe and Microsoft IE 7 patches as soon as they're posted. And, as always, think before you click.