Warning: XSS attack in PDF URLs

Just heard this through the OWASP mailing list, and it’s a dandy:

I wanted to give everyone all a heads-up on a very serious new application security vulnerability that probably affects you. Basically, any application that serves PDF files is likely to be vulnerable to XSS attacks.

Attackers simply have to add an anchor containing a script, e.g. add #blah=javascript:alert(document.cookie); to ANY URL that ends in .pdf (or streams a PDF). The browser hands off the anchor to the Adobe reader plugin, and the script then runs in the victim’s browser.

You can find more information here: http://www.gnucitizen.org/blog/universal-pdf-xss-after-party/

You can protect yourself by upgrading your browser and Adobe Reader. There are many vulnerable browser/plugin combinations in use, including Firefox. However, IE7 and IE6 SP2 do not appear vulnerable.

Protecting the users of your application from attack is more difficult. This problem is entirely in the browser and the Adobe reader. The anchor is not even passed from the browser to the web application, so there’s really not much you can do in your code to detect an attack. You could stop serving PDF documents or move them to a different server, but that’s not realistic for many organizations.

Jeff Williams, Chair, The OWASP Foundation

Now, a couple of thoughts come to mind:
  1. First and foremost, if your application serves PDFs, make sure your clients know to upgrade to the latest Acrobat version, since that seems (based on how I read the above) to be protected against the XSS attak; if it’s not, though, Adobe will fix it soon (I would hope, anyway), and thus you’ll be back to making sure your clients know to upgrade to the latest Acrobat version.
  2. Secondly, this is technology-agnostic, so regardless of your platform (Java, .NET or Rails), you’re vulnerable. (Such is always the case with XSS attacks.)
  3. How many developers will actually take steps to try and prevent it (such as, for example, ensuring that PDF URLS received aren’t trailing any fragments before sending the URL request on for Adobe to process)?
  4. How long before somebody figures out a way to make this all Microsoft’s fault? Will this gather any press coverage, and if it does, will they note that IE 6 SP2 and IE 7 don’t seem to be affected by the attack? Will Slashdot even bother with a footnote? (My best guess would be, 1 week, yes, no, and no, respectively.)