Adobe Rates Acrobat Vulnerabilities “Critical”
Adobe has warned users about a newly discovered vulnerability in ActiveX components for versions 7.0.0 through 7.0.8 of both its applications of Reader and Acrobat. The flaw is capable of empowering attackers to control compromised systems. The attack would take place through ActiveX control that Internet Explorer uses to display PDF documents. It has not affected the users of any other browser.
French 'security research firm', 'FrSIRT' was the first to report the vulnerability on November 28, 2006. Both FrSIRT and Adobe have assigned the vulnerability as "critical".
'French Security Incidence Response Team' (FrSIRT) released an advisory this week, which says that the 'memory corruption errors' in the 'AcroPDF ActiveX control' cause the bugs because they fail to handle 'malformed arguments' properly.
The bugs would most likely exploit by posting a malicious PDF file to a Website or by passing it through e-mail attachments. The attack proceeds by duping users into clicking on a link connected to a 'malformed' PDF file' or opening a malicious attachment.
The San Jose, Calif., company, 'Adobe', issued an advisory including 'pre-patch workarounds' and alerted that 'multiple un-patched holes' could result in 'software crashes'. In addition, the flaws could potentially let an attacker give commands to the affected system.
The company recommends users to delete the 'AcroPDF.dll' from the 'Acrobat Program Files' folder. However, it warns, doing so could affect 'enterprise workflows' as it does not let PDF documents to open in Internet Explorer. As a result of applying the 'workaround', PDF files within Internet Explorer will either open the files separately in 'Adobe Reader' or request the user to download the file, to view it in 'Adobe Reader'. The flaw has no impact on 'Acrobat' and 'Reader 8.0'.
Adobe said, "The 'Secure Software Engineering' team, together with the 'Adobe Reader Engineering' team, is working on an update to 'Adobe Reader' and 'Acrobat 7.0.8' to resolve the issues and is likely to appear soon". Once the fix is ready, Adobe will publish a 'security bulletin' on its Web site.
FrSIRT suggests users to set a "kill bit" in the Windows registry of their PCs to disable the vulnerable ActiveX control.
Related article: Adobe Patches Multiple Bugs in PDF
» SPAMfighter News - 04-12-2006