Security hole in Adobe Reader

A recently unearthed vulnerability in older versions of Adobe Reader software leaves users vulnerable to Web-based attacks, according to an alert released by Adobe.

Version 8.1.2 of the Portable Document Format (PDF) Reader and earlier versions possess this vulnerability, as do versions 8.12 and earlier of the Adobe Acrobat Professional, 3-D, and Standard editions.

The company recommends upgrading to version 9 of Reader. If moving to version 9 is not feasible, users can also upgrade to version 8.1.3, also available from the same page.

For the Acrobat PDF authoring application, the company is offering updated versions to download, for both Microsoft Windows, and Macintosh.

The patches also address several other less-critical vulnerabilities.

The vulnerability, a stack-based buffer overflow, stems from how Adobe Reader executes Javascript within a PDF file. An attacker could inject code into a PDF file that, when opened, would execute with a full set of user privileges to that computer.

In addition to updating the software, users may take further action to prevent such attacks from occurring. As PDFs found online are frequently opened directly from Web browsers, the United States Computer Emergency Readiness Team recommends changing settings in the browser and operating system that would prevent PDFs from being opened within the browser. Users can also disable Javascript within Adobe Reader.

According to Core Security Technologies, the research company that found the vulnerability, the problem resides in how the Adobe Javascript engine handles the util.printf() function. An attacker can pass along an overly long argument to the function. When the string exceeds its memory allocation, the additional data will spill over into the program's memory. A carefully crafted string could contain commands that would divert the host computer into executing other tasks.

This vulnerability is currently under review as a candidate for the National Vulnerability Database, under Common Vulnerabilities and Exposures (CVE) numbers CVE-2008-4817 and CVE-2008-2992.

About the Author

Joab Jackson is the senior technology editor for Government Computer News.

Stay Connected

Sign up for our newsletter.

I agree to this site's Privacy Policy.