Adobe Reader suffers zero-day vuln

April 29, 2009 | 09:56

Tags: #0-day #acrobat #acrobat-reader #actionscript #adobe-acrobat #adobe-reader #flaw #javascript #security #zero-day

Companies: #adobe

Adobe has found itself under the scrutiny of security researchers with the news that yet another zero-day vulnerability has been discovered in its popular PDF viewer, Reader.

According to an article over on CNet, the vulnerability – caused by an error in the in-built annotation JavaScript function – allows for an attacker to execute code on a target machine when a specially crafted document is open.

As has been the case with other JavaScript vulnerabilities within the Reader package, disabling the scripting engine – from the General Preferences dialogue, under Edit->Preferences->JavaScript – renders the attack inert, at the risk of causing documents which rely on JavaScript being available to function incorrectly.

The team behind the discovery have stated that both Reader 8.1.4 and 9.1 for Linux have been confirmed to suffer from the vulnerability – and it's more than likely that it's a cross-platform issue, affecting other operating systems as well. So far, Adobe has not issued a timescale for when the hole will be patched – beyond a statement saying the company is “currently investigating” the issue and “will have an update once we get more information.

Adobe Reader has had more than its share of JavaScript problems in the past, and it's an issue which the digital ne'er-do-wells are certainly aware of: speaking at the RSA Security conference last week, the chief research officer of security specialist F-Secure Mikko Hypponen claimed that over 47 percent of all targeted attacks his company is aware of this year have been aimed at Acrobat Reader.

While Adobe investigates the issue, it's advisable to disable JavaScript – or switch to a PDF reader with a better security track record.

Should Adobe get its act together and do a full code audit of the Reader software before yet another flaw is discovered in its JavaScript implementation, or are the security researchers simply aiming for the low-hanging fruit? Share your thoughts over in the forums.
Discuss this in the forums
YouTube logo
MSI MPG Velox 100R Chassis Review

October 14 2021 | 15:04