Adobe issues security fixes for Reader and Acrobat

Vulnerabilities in Adobe Reader and Acrobat could allow an attacker to take over affected systems

Adobe has released a patch to fix vulnerabilities in Adobe Reader and Acrobat that could allow an attacker to crash or take control of affected systems.

The vulnerabilities could allow a remote attacker to do a number of things, including executing code, writing files to the system or causing a denial of service, according to an alert issued Jan. 13 by the U.S. Computer Emergency Readiness Team’s National Cyber Alert System. Opening a PDF document with the malicious code in it would trigger the attack.

The vulnerabilities affect Adobe Reader 9.2 and Acrobat 9.2 for Windows, Macintosh and UNIX, and Adobe Reader 8.1.7 and Acrobat 8.1.7 for Windows and Macintosh.

Adobe Reader and the Adobe Acrobat family of software are designed to create, view, and edit Portable Document Format files. Adobe Reader is widely deployed, and the Acrobat Reader Plug-In displays a PDF inside a Web browser.

The crux of the problem is the JavaScript Doc.media.newPlayer method in Adobe Acrobat and Reader. The newPlayer method contains a use-after-free vulnerability, which may allow a remote, unauthenticated attacker to execute arbitrary code on a vulnerable system. By convincing a user to open a malicious PDF file, an attacker could execute code or cause a vulnerable PDF viewer to crash. The PDF could be e-mailed as an attachment or hosted on a Web site.

Some of these vulnerabilities are being actively exploited, the US-CERT alert states.

"While I have not seen any exploits on our network, many exploits have been reliably reported in the wild,” said Andrew Storms, director of security at nCircle, a provider of automated security and compliance solutions. The company also provides risk management services to users, keeping them abreast of the latest application vulnerabilities.

“We should expect that these exploits will continue to be effective for quite some time simply because Adobe's installed base is so large that it will take a while before everyone has the update installed,” he said.

"Once considered the safest document format, Adobe PDF has fallen prey to a rash of serious security threats," Storms said.

The vulnerabilities have been addressed in Adobe Reader 9.3 and 8.2, Adobe officials said.

Adobe recommends users of Adobe Reader 9.2 and Acrobat 9.2 and earlier versions for Windows, Macintosh and UNIX to update to Adobe Reader 9.3 and Acrobat 9.3. Adobe recommends users of Acrobat 8.1.7 and earlier versions for Windows and Macintosh to update to Acrobat 8.2.

For Adobe Reader users on Windows and Macintosh who cannot update to Adobe Reader 9.3, Adobe has provided the Adobe Reader 8.2 update. The company has also offered advice for lessening the risk of such attacks.

“Part of the controversy surrounding this vulnerability has been the mitigation advice from Adobe that included the recommendation to disable JavaScript,” Storms said. “The security issues surrounding JavaScript and Adobe have left a lot of people wondering why JavaScript is included in Adobe's PDF products at all."

About the Author

Rutrell Yasin is is a freelance technology writer for GCN.

inside gcn

  • IoT analytics platform

    Modern data analytics for public safety IoT

Reader Comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above

More from 1105 Public Sector Media Group