Adobe Reader, Acrobat patch could be a month away

Stephen Withers
Thursday, 17 December 2009 03:44

Business IT - Security

Adobe has confirmed the existence of a critical vulnerability in Adobe Reader and Adobe Acrobat, and plans to release an update by the middle of January 2010.

Reports of a new 0-day vulnerability in Adobe Acrobat and Adobe Reader surfaced in the last several days, and Adobe has now confirmed its existence.

Adobe has determined that the vulnerability can cause a crash and has the potential to allow an attacker to take control of the affected system. It appears that all versions of the programs are vulnerable, regardless of operating system.

The company says it plans to release patches for the two programs by January 12, 2010.

In the meantime, Adobe has described a mitigation technique that is more finely-grained than simply disabling JavaScript completely.

The JavaScript Blacklist Framework that's part of Acrobat and Reader can be used to prevent the use of the specific JavaScript function (Doc.Media.newPlayer) that is vulnerable.

Instructions for blacklisting this function are contained in an Adobe tech note.

Since full details of the vulnerability - including exploit code - are now publicly available, it seems sensible to follow Adobe's advice and either use the blacklist feature or disable JavaScript completely.