A program used to view .pdf files on many Linux-based networks contains a vulnerability attackers could exploit to launch malicious code, two security firms said Wednesday. A patch is available to fix the problem.
The open-source file viewer, known as xpdf, suffers from a buffer overflow vulnerability an attacker could exploit remotely to launch code, Reston, Va.-based iDefense said in anadvisory.
"[The viewer] is frequently deployed on Linux desktops, such as the Debian Project's GNU/Linux environment," Adam Greene, senior security engineer for iDefense Labs, said by e-mail. "Thus, if a particular enterprise environment leans heavily towards Linux, this very likely could be the .pdf reader of choice, although Adobe Systems Inc.'s freely available Acrobat Reader is also available for Linux."
Because it is generally considered a safe format, many users open .pdf files from any source, said Thomas Kristensen, chief technology officer of Danish security firm Secunia. "This makes it more important for system administrators to update xpdf," he said by e-mail. Secunia labeled the security hole "highly critical" in its advisory.
What's the problem and who is affected?
According to iDefense, "the vulnerability specifically exists due to insufficient bounds checking while processing a .pdf file that provides malicious values in the /Encrypt /Length tag. The offending code can be found in the Decrypt::makeFileKey2 function in the source file xpdf/Decrypt.cc."
iDefense confirmed the vulnerability in version 3.00 of xpdf, and said previous versions may also be at risk. Linux vendors who may be affected by the vulnerability include:
- Novell Inc. (SUSE);
- Red Hat Inc.;
- The Fedora Project;
- The Debian Project;
- Gentoo Foundation Inc.;
- The FreeBSD Project; and
"Deploying a patched xpdf version on all affected desktops would be the best manner in which to thwart exploitation," Greene said. "Other measures can be taken as well. IT administrators should regularly educate its users about these kinds of threats, which do require user interaction. Urge them to not view .pdf files attached to unsolicited e-mails or found in untrusted Web sites."
As serious as it sounds, Greene said there is a bright side. "Considering that social engineering is necessary for exploitation to occur, it is unlikely that this vulnerability will be widely exploited," he said.