Quick Hits

Adobe Issues Patch for Critical Reader Flaw

Critical vulnerability could be used to exploit JavaScript engine in popular Reader application
Adobe today fixed a major security hole in Adobe Reader that lets an attacker take control of a user's machine when he or she opens or downloads a PDF file.

The overflow vulnerability exploits JavaScript features in Adobe Reader 8.1 and earlier versions. This isn't the first such critical bug found in Reader, says Ivan Arce, CTO of Core Security Technologies, which discovered the flaw, but it's a major one.

"JavaScript content may trigger the vulnerability and let an attacker control the system," Arce says.

Core researchers discovered the vulnerability while studying another similar flaw in a different PDF view application, Foxit Reader. Arce says the bug demonstrates just how multiple vendors can have similar flaws in their applications. Core reported its finding to Adobe in May after discovering the vulnerability.

Aside from the patch, Reader users can either disable JavaScript in the application or upgrade to the newest version of Reader, Version 9, which does not contain the vulnerability, Arce notes.

Editors' Choice
Evan Schuman, Contributing Writer, Dark Reading
Tara Seals, Managing Editor, News, Dark Reading
Jeffrey Schwartz, Contributing Writer, Dark Reading