Upgrades Would Mitigate Adobe’s Vulnerability

Adobe Systems has recently found a cross-site scripting flaw in its software that could let attackers run malicious JavaScript on a victim's computer.

The flaw is capable of making an impact on versions 7.0.8 and previous ones of the Adobe and Reader programs. Adobe suggests users of those versions to inactivate the Acrobat and Reader plug-in in their Web browser till the time patches are released.

Ever since the problem emerged, Adobe has been asking customers to upgrade to Reader 8, the current version of its program, which is unaffected by the flaw.

The vendor said that Adobe knew about the recent cross-site scripting flaw in versions 7.0.8 and previous ones of Adobe Reader and Adobe Acrobat that could enable remote attackers to install arbitrary JavaScript into a browser. The company assured that the vulnerability was not in .pdf. However, it could take place if a user tries to open a malicious link to a .pdf on the browser.

According to security experts, hackers by exploiting the bug could view the hard drives on their victims' systems or use it to conduct convincing phishing scams. Everything about the Adobe Reader flaw was first reported at the annual conference of a German hacker group called Chaos Computer Club.

The Secure Software Engineering team of Adobe is on the job to update versions 7.0.9 to 7.0.8 and the ones before that of Adobe Reader and Acrobat to resolve the problem for users finding it difficult to upgrade to Reader 8.

Adobe has rated the vulnerability only "important" because it cannot allow execution of native code or delete hard drive on a victim's system, said the director of the company's platform business unit, Pam Deziel. The risks can be brought under check by some direct methods. Deziel said upgrading to Adobe Reader 8 and Acrobat 8 could handle the issue right away.

Till now there has been no report of exploitation of the Adobe Reader vulnerability but there are codes produced to use the exploit. Originally it was thought that the exploit was possible only in Firefox browser but now Internet Explorer is also included.

» SPAMfighter News - 1/15/2007