IT Security Alert: Now PDFs Pose a Threat!

Update: According to IT security types, certain versions of Internet Explorer are also vulnerable. They include:

• IE6, Adobe Reader 7 on XP SP1
• IE6, Adobe Reader 4 on XP SP2

I just received a very alarming alert from my daughter who works in IT security. According to a couple of posts that she forwarded to me, the long-trusted PDF document format can now be exploited for cross-site scripting purposes, meaning that any web site hosting PDF files can be used for perpetrating cyber attacks.

According to this CBC News article, which cites research from Symantec and VeriSign, virtually any website hosting PDF files is vulnerable to attack. The outcomes could range from covert spying on surfers to the creation and spread of dangerous worms.

The intrusion is accomplished through Javascripted links to PDF documents, which could also be sent by email. They take advantage of a vulnerability in the Acrobat Reader to run malicious code when users attempt to open the linked file. The technique appears, for once, to target Firefox rather than IE.

This article from Symantec describes the exploit in more detail and outlines ways to protect yourself, including upgrading to Acrobat Reader 8.0 or disabling the plug-in entirely. Don't miss it!

Taking Your Password to the Grave

My daughter works in IT security, and every now and then she forwards me an interesting link on some security-related topic. Most go right over my head — they abound in techspeak or are outside my realm of interest or expertise. A recent article she sent me, though, certainly got my attention. In Taking Passwords to the Grave, News.com's staff writer Elinor Mills probes the implications of failing to ensure that your loved ones have access to online passwords and other important digital identifying information.

When people fail to leave such information behind, family members are increasingly unable to access important data and, in some cases, to attend to estate business. Even notifying a loved one's email contacts can become problematic, since e-mail providers and other companies may be reluctant to give out such information, for privacy reasons. Mills recommends avoiding this problem by ensuring that passwords to e-mail, photo sharing, music sites and other online accounts are recorded safely somewhere, preferably in an estate planning document.

She cites the case of William Talcott, a prominent Irish/American poet, whose estate was paralyzed after he died because his daughter could not access his email account or online address book.

I had certainly never thought about this! Like many people, I derive income from the Web and do my banking and investing online. I have numerous passwords stored in my head (scary thought!), along with multiple email logins. Ditto with access to all the various sites where I shop, download software, upload images for sale, register web domains, post blog entries, and on and on. There are dozens of them, and I have not recorded this information anywhere. If I passed away tomorrow, my daughter would have her hands full sorting out my online life. She'd have to close accounts, cancel domains, cash in accrued revenue, pay outstanding fees, and on and on. Then there are decisions about intellectual property, such as all the photos and fractals I have uploaded to Flickr and elsewhere. Just thinking about it makes me tired.

This sobering article is worth a look, calling attention to a little loose end that many of us hadn't thought about.