![who stole my acrobat pdf browser plugin who stole my acrobat pdf browser plugin](https://uploads-ssl.webflow.com/5f948e704a362b76174c0c47/5f948e704a362b57994c0fe2_CommentsCheckmarkTools1.png)
Restart IIS for the changes to take effectĭo note that this is not a foolproof solution, but changing the HTTP response headers will go a long way toward reducing the risk to users of your site.In the Custom-header value field, enter attachment In the Custom-header name field enter Content-disposition. In the Custom HTTP Headers section, click Add.In the IIS Management tool (not in Windows Explorer), select a directory with PDF content or an individual PDF file.Change this to application/octet-streamĪdd the Content-Disposition header (this needs to be done on each directory or for each PDF file individually): Right click on the Services and Applications > Internet Information Services (IIS Manager).Header add Content-Disposition "attachment"Ĭhange the MIME type to " application/octet-stream": To do that, we simply need to change MIME type for PDF files and add a custom header to force the download. The most obvious way to fix this problem is to always get the user to download the file instead of opening it in the plugin.
WHO STOLE MY ACROBAT PDF BROWSER PLUGIN CODE
The core of the issue lies with the opening of the PDF in the Acrobat Reader's browser plugin The plugin offers an ill-conceived "feature" that launches custom JavaScript code that is passed via the URL. Source code and binaries (for the lazy) are provided above.
![who stole my acrobat pdf browser plugin who stole my acrobat pdf browser plugin](https://i.ytimg.com/vi/gTXSX-wqPaM/maxresdefault.jpg)
The following article describes the fix which I've implemented. As a webmaster myself, I was tasked to fix this up on my company websites. Unfortunately, we all know that much time (years maybe?) is required for these updates to propagate to the masses, hence it is still crucial for webmasters to put up some form of defence from the server side. Not long after the story broke, Adobe and the popular browser makers have issued fixes/updates for their software. This vulnerability has been much talked about and there are plenty of resources online that you can look for if you want the details on how it works and what kind of damage it can bring. By adding JavaScript commands to parameters in the URL, attackers can steal cookies and sensitive data, change the appearance or behavior of the site, and redirect users off-site in phishing attacks. Being free and de facto, the PDF reader coupled with the abundance of pdfs online, this vulnerability has the potential to wreck havoc in a big way.Įssentially, the vulnerability provides yet another way for an attacker to execute JavaScript in another user's browser when the user follows a specially crafted URL to a PDF file.
WHO STOLE MY ACROBAT PDF BROWSER PLUGIN SOFTWARE
Early this year, two guys broke the news of a critical XSS vulnerability found in the popular software Adobe Acrobat Reader.