Another Adobe Reader vulnerability surfaces

Stephen Withers
Thursday, 30 April 2009 05:06

Business IT - Technology

All current versions of Adobe Reader and Acrobat contain a flaw which has the potential to allow remote code execution.

Adobe Reader is the company's free PDF reader utility; Acrobat provides PDF creation and other tools.

A flaw in the program's getAnnots() JavaScript function could allow a malicious PDF document to trigger the execution of code contained within the document. A simpler exploit would merely crash the application.

Adobe has confirmed that "All currently supported shipping versions of Adobe Reader and Acrobat (Adobe Reader and Acrobat 9.1, 8.1.4, and 7.1.1 and earlier versions) are vulnerable to this issue."

According to SecurityFocus, the vulnerability is also present in earlier 9.x, 8.1.x and 7.0.x versions.

Adobe recommends that users disable JavaScript in Reader and Acrobat until an update is provided.

An alternative user strategy would be to use a different PDF software, such as Mac OS X's Preview or Nuance PDF Converter. However, there has been at least one case where a flaw in Adobe's PDF software also showed up in some other vendors' products.

Work is in progress towards updates for the Windows, Mac and Unix versions of Reader, but no schedule has been published yet.

There have been no reports of exploits in the wild, according to Adobe officials.

A zero-day exploit for Adobe Reader and Acrobat was disclosed in February this year. Updates for the Windows and Mac 9.1 versions were released three weeks later, and the 8.1 and 7.1 updates appeared after another week.

The Unix updates arrived five weeks after the vulnerability was disclosed.