Adobe Reader attacked by JavaScript bug

October 12, 2009 | 12:58

Tags: #actionscript #adobe-reader #ecmascript #javascript #pdf #pdf-vulnerability #vulnerability

Companies: #adobe

Adobe's popular Reader PDF viewer has come under attack once again as ne'er-do-wells target an exploit in its JavaScript handling.

According to an article over on CNet, the exploit - which is being described as a 0-day attack targeting both the latest version of Adobe Reader as well as Adobe Acrobat 9.1.3 and earlier - is being actively used in the wild, and is capable of affecting systems based on any version of Windows from 98 up to Windows Server 2003 - with the exception of Windows Vista and the as-yet unreleased Windows 7.

The vulnerability, spotted by anti-virus firm Trend Micro, has been labeled Troj_Pidief.Uo, and uses the JavaScript-based malware package Js_Agent.Dt to drop a backdoor application dubbed" - giving the attacker full control over the system.

Although Adobe has written a patch which addresses the targeted issue, the company has stated it is holding back its release until tomorrow - to co-incide with Microsoft's traditional Patch Tuesday monthly release cycle and give system administrators an easier time of things. However, this does leave systems vulnerable for an extra day.

This isn't the first time that JavaScript flaws have proven problematic for Adobe's popular PDF programs: back in April the company admitted that its products were the victim of another 0-day vulnerability, which itself echoed an attack from February of the same year. Another JavaScript vulnerability was discovered in June of last year, just one month after Adobe updated its Flash player package to protect against another scripting vulnerability.

For now, the work-around for the issue remains the same as always - disable JavaScript processing via the Preferences menu.

Are you surprised to see Adobe fall victim to yet another JavaScript-based attack, or will this sort of thing keep happening until the company completely redesigns its JavaScript engine from the ground up? Share your thoughts over in the forums.
Discuss this in the forums
YouTube logo
MSI MPG Velox 100R Chassis Review

October 14 2021 | 15:04