Security hole in Adobe Reader

A recently unearthed vulnerability in older versions of Adobe Reader software leaves users vulnerable to Web-based attacks, according to an alert released by Adobe.

Version 8.1.2 of the Portable Document Format (PDF) Reader and earlier versions possess this vulnerability, as do versions 8.12 and earlier of the Adobe Acrobat Professional, 3-D, and Standard editions.

The company recommends upgrading to version 9 of Reader. If moving to version 9 is not feasible, users can also upgrade to version 8.1.3, also available from the same page.

For the Acrobat PDF authoring application, the company is offering updated versions to download, for both Microsoft Windows, and Macintosh.

The patches also address several other less-critical vulnerabilities.

The vulnerability, a stack-based buffer overflow, stems from how Adobe Reader executes Javascript within a PDF file. An attacker could inject code into a PDF file that, when opened, would execute with a full set of user privileges to that computer.

In addition to updating the software, users may take further action to prevent such attacks from occurring. As PDFs found online are frequently opened directly from Web browsers, the United States Computer Emergency Readiness Team recommends changing settings in the browser and operating system that would prevent PDFs from being opened within the browser. Users can also disable Javascript within Adobe Reader.

According to Core Security Technologies, the research company that found the vulnerability, the problem resides in how the Adobe Javascript engine handles the util.printf() function. An attacker can pass along an overly long argument to the function. When the string exceeds its memory allocation, the additional data will spill over into the program's memory. A carefully crafted string could contain commands that would divert the host computer into executing other tasks.

This vulnerability is currently under review as a candidate for the National Vulnerability Database, under Common Vulnerabilities and Exposures (CVE) numbers CVE-2008-4817 and CVE-2008-2992.

About the Author

Joab Jackson is the senior technology editor for Government Computer News.

inside gcn

  • IoT security

    A 'seal of approval' for IoT security?

Reader Comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above

More from 1105 Public Sector Media Group