Critical vulnerability in Adobe Reader

By Davey Winder
Wednesday, 05 November 2008 06:57

Home IT

A vulnerability in Foxit Reader that was disclosed back in May was thought not to be exploitable within Adobe Reader. New research proves otherwise.

Core Security Technologies, a provider of proactive enterprise security testing solutions, has today issued a security advisory that discloses a critical vulnerability which has the potential to impact millions of users, both individuals and businesses, which rely upon the Adobe Reader PDF-file browsing software.

While investigating the feasibility of exploiting a vulnerability previously disclosed in Foxit Reader by Dyon Balding from Secunia Research on May 20th 2008, engineers from CoreLab (the research arm of Core Security) have discovered that Adobe Reader is affected by the same bug.

Arguably the world’s most ubiquitous electronic document sharing application, Adobe Reader is used to view, search, digitally sign, verify, print, and collaborate on Adobe PDF files. It also, of course, contains the necessary scripting functionality to enable extended customization.

The CoreLab engineers found that Adobe Reader was capable of being exploited to gain access to vulnerable systems using a specially crafted PDF file containing inevitable malicious JavaScript content. CoreLabs alerted Adobe to the vulnerability immediately, and both have been working to coordinate patch creation efforts.

To successfully exploit this vulnerability requires a user to open that maliciously crafted PDF file which in turn allows the attacker to gain access to vulnerable systems, assuming the privileges of a user running Acrobat Reader.

“As with many of today’s ubiquitous client side applications, the sheer complexity of Adobe Reader creates a broad surface for potential vulnerabilities and, in this case, Adobe’s inclusion of a fully-fledged JavaScript engine introduces the same types of implementation bugs commonly found in such sophisticated client side programs” said Ivan Arce, CTO at Core Security Technologies.

It isn't the first exploit to impact upon Adobe users  nor will it be the last.

However, Adobe has issued a security update that addresses the vulnerable version 8.1.2 of Reader. Adobe Reader version 9, which was released in June 2008, is not vulnerable to the reported problem.
Tags:

Please enable JavaScript in your browser to post your comment!

SPONSORED PRESS RELEASES

Axway cautions on escalating risks and cost of file transfer
By John Lee, Regional Sales, Pacific, Axway Inc
Independent Research Shows High Customer Satisfaction for NetSuite
Websense Security Labs Reports ‘User Trust’ Targeted Attacks; Over 1 in 10 ‘Top Search’ Results Categorised as Malware; Increased Focus on Web 2.0
ComOps Scoops Leading Position in SmartCompany Dun and Bradstreet IT Company Growth List
F5 APAC CIO Survey Underscores Need for Proactive Approach to Application Delivery and Cloud Computing
F5 Delivers Next-Generation Application Delivery Services Giving Enterprises More Control with Context-Aware Networking
WatchGuard Enhances Security Software
engin Launches Hosted Phone System for Australian Small Business

Featured IT jobs

Melbourne
Senior Software consultant
Senior Software consultant responsible for providing support on a unique enterprise level software solution for various customers, Melbourne based!
Skills Tags:   IT  ITIL  Linux  Management  RFP  Unix
Sydney
Database Developer - SQL Server 2005
This financial client has an excellent opportunity for an experienced Database Developer. SQL 2005 Some Schema design + SSIS & SSRS - 80k+super
Skills Tags:   Design  Development  SQL  SQL Server
Melbourne
Hyperion Planning Consultant
Massive Hyperion Project requires a Hyperion Planning Architect / Lead Developer - drive home a huge Hyperion solution.
Skills Tags:   Architect  Design  Development  Hyperion
Sydney
OBIEE BI/DW Consultant
OBIEE Consultant to work on a very large greenfield OBIEE implementation to date to work end-to-end with excellent modelling & BI Server skills
Skills Tags:   Business Intelligence  Cognos  Hyperion  Informatica  Oracle  SQL

Editors Picks

Stories you may have missed

How YouTube is killing mobile networks, and what to do about it

Microsoft Surface slips into Australia

Wikileaks is back from the brink
 

What iTWire offers for free

E - mail News SMS Headlines Desktop Alerts News Feeds Job Alerts Technology Events Press-Releases