Adobe Reader flaw lets others spy on your reading habits

A flaw in Adobe's Reader software may present a potential privacy issue as it can reveal where and when it was used to open a PDF file, a security vendor has warned.

 

In a blog post, McAfee said the flaw may allow an attack that can potentially collect sensitive information from a targeted user.

 

"Malicious senders could exploit this vulnerability to collect sensitive information such as IP address, Internet service provider, or even the victim’s computing routine. In addition, our analysis suggests that more information could be collected by calling various PDF JavaScript APIs," it said.

 

McAfee also said it has detected some PDF samples in the wild that are already exploiting this issue.

 

It said its investigation shows the samples were made and delivered by an “email tracking service” provider.

 

"We don’t know whether the issue has been abused for illegal or APT attacks," it said.

 

McAfee said the problem was traced to an unpatched security issue in Adobe Reader, including the latest “sandboxed” Reader XI (11.0.2).

 

"Although the issue is not a serious problem (such as allowing code execution), it does let people track the usage of a PDF. Specifically, it allows the sender to see when and where the PDF is opened," it said.

 

McAfee also said that while the problem does not seem serious at first glance, it may be considered a security vulnerability.

 

It said it has reported the issue to Adobe and is waiting for confirmation and a future patch.

 

For now, it is hiding key details of the vulnerability to protect Reader users. — TJD, GMA News