The overflow vulnerability exploits JavaScript features in Adobe Reader 8.1 and earlier versions. This isn't the first such critical bug found in Reader, says Ivan Arce, CTO of Core Security Technologies, which discovered the flaw, but it's a major one.
"JavaScript content may trigger the vulnerability and let an attacker control the system," Arce says.
Core researchers discovered the vulnerability while studying another similar flaw in a different PDF view application, Foxit Reader. Arce says the bug demonstrates just how multiple vendors can have similar flaws in their applications. Core reported its finding to Adobe in May after discovering the vulnerability.
Aside from the patch, Reader users can either disable JavaScript in the application or upgrade to the newest version of Reader, Version 9, which does not contain the vulnerability, Arce notes.