Critical vulnerability could be used to exploit JavaScript engine in popular Reader application

Dark Reading Staff, Dark Reading

November 5, 2008

1 Min Read

Adobe today fixed a major security hole in Adobe Reader that lets an attacker take control of a user's machine when he or she opens or downloads a PDF file.

The overflow vulnerability exploits JavaScript features in Adobe Reader 8.1 and earlier versions. This isn't the first such critical bug found in Reader, says Ivan Arce, CTO of Core Security Technologies, which discovered the flaw, but it's a major one.

"JavaScript content may trigger the vulnerability and let an attacker control the system," Arce says.

Core researchers discovered the vulnerability while studying another similar flaw in a different PDF view application, Foxit Reader. Arce says the bug demonstrates just how multiple vendors can have similar flaws in their applications. Core reported its finding to Adobe in May after discovering the vulnerability.

Aside from the patch, Reader users can either disable JavaScript in the application or upgrade to the newest version of Reader, Version 9, which does not contain the vulnerability, Arce notes.

About the Author(s)

Dark Reading Staff

Dark Reading

Dark Reading is a leading cybersecurity media site.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights