At the beginning of new year, I am surprised by the disclosed of multiple vulnerabilities in Adobe Acrobat Reader Plugin.
These vulnerabilities can cause the followings :
- Universal CSRF / session riding (tested on Mozilla Firefox, Internet Explorer, Opera + Acrobat Reader plugin)
- UXSS in #FDF, #XML e #XFDF (tested on Mozilla Firefox + Acrobat Reader plugin)
- Possible Remote Code Execution (tested on Mozilla Firefox + Acrobat Reader plugin)
- Denial of Service (tested on Internet Explorer + Acrobat Reader plugin)
Here are several resources if you want to know more about this thing :
- Stefano Di Paola posting which started it all
- PDF= Potential Death File?
- Acrobat Reader suffers major XSS flaw
- DANGER, DANGER, DANGER
- UXSS Day One Wrapup
- Universal PDF XSS After Party
- PDF XSS Can Compromise Your Machine
- Hacking with Browser Plugins