Adobe Issues Patches for Two Critical Acrobat and Reader Bugs

The Adobe released security fixes on May 12, 2009 to patch two critical flaws in Adobe Reader which could let attackers install malware remotely on users' PCs via infected PDF files.

The exploitation of flaws could lead to denial-of-service conditions, collapse of a system or the distribution of malware with which someone else's computer could be compromised to steal sensitive information.

From the two bugs in Adobe, the first one is associated with the GetAnnots Doc procedure within the JavaScript API. This bug affects Adobe Acrobat and Reader versions 9.1 along with the older ones in any platform. The flaw can easily be exploited if the attacker uses a PDF file, which has an annotation together with an OpenAction entry in a JavaScript that triggers this procedure with specially designed integer arguments. Given these, an attacker could exploit the security flaw to run an arbitrary code.

Meanwhile, the US-CERT (Computer Emergency Readiness Team) also said the flaw is a result of a fault within the GetAnnots JavaScript feature.

The reports state that Adobe in its security advisory issued during April 2009 had cautioned users about the flaw that critically affects Acrobat Reader and Adobe Reader.

The other bug affects Adobe Reader, but on 'Unix' only. By using the CustomDictionaryOpen spell procedure within the JavaScript API, an attacker could create a denial-of-service condition remotely or similarly run a malicious code through an infected PDF file that triggers this procedure using an extended string within the 2nd argument.

Security researchers also state that the proof-of-concept attack code has been developed for both the vulnerabilities. However, according to them, there has been no known attack so far believed to have exploited the flaws. The situation could change if hackers gain an access to the attack code and grab the opportunity when users do not update their computers.

To avoid the risk, users are recommended to deactivate JavaScript within Adobe Reader.

Meanwhile, it is believed that the current Adobe flaw is a much more critical problem compared to Microsoft's recent PowerPoint flaws that were also patched on May 12, 2009.

Related article: Adobe Rates Acrobat Vulnerabilities “Critical”

» SPAMfighter News - 5/21/2009

3 simple steps to update drivers on your Windows PCSlow PC? Optimize your Slow PC with SLOW-PCfighter!Email Cluttered with Spam? Free Spam Filter!

Dear Reader

We are happy to see you are reading our IT Security News.

We do believe, that the foundation for a good work environment starts with fast, secure and high performing computers. If you agree, then you should take a look at our Business Solutions to Spam Filter & Antivirus for even the latest version of Exchange Servers - your colleagues will appreciate it!

Go back to previous page