Adobe Patches Multiple Bugs in PDF
After admitting a serious flaw in its well-known Acrobat and Reader software, Adobe a week later patched multiple bugs to prevent attackers from loading malicious code on reliable PDF documents to capture control of PCs.
In an advisory Adobe said the flaws affected Adobe Reader and Adobe Acrobat Standard Elements and Professional version 7.0.8 and previous ones, as well as Adobe Acrobat 3D. Secunia rated the Reader vulnerability as "highly critical".
Adobe issued the version 7.0.9 updates on January 9, 2007 that would handle security gaps to stop outsiders from exploiting them and accessing hard disk drives. The attackers achieve this by planting malicious links in PDF files running on exposed computers.
In a posting on its website Adobe urges users of Adobe Reader to update to the latest version, Reader 8. For users of Adobe 7 who wish to maintain their current version can go by the instructions given in the bulletin. Adobe also outlined recommendations for servers that host Adobe website and operators of the site.
Version 7.0.9 also fixes an earlier unknown hole that researcher Piotr Bania working independently has made open. Attackers can exploit this vulnerability to inject and run malware in the Windows and Linux versions of Reader 7.0.8 and previous versions, through PDF files.
Bania has, however, not demonstrated the exploit because he thinks the flaw is too severe and makes undesirable effects.
Updates for Windows, Linux, and Mac OS X versions of the 7.0.9 Acrobat and Reader are available on the Adobe Web site for download. Users of Mac OS X who want to upgrade from 7.0.8 can avail another patch without the need to download and install the entire applications.
Adobe Acrobat and Adobe Reader 6.x, vulnerable to cross-site scripting flaw will soon have updates, said a company spokesman.
Related article: Adobe Rates Acrobat Vulnerabilities “Critical”
» SPAMfighter News - 16-01-2007