Adobe Acrobat suffers JavaScript flaw

Adobe Acrobat suffers JavaScript flaw

The vulerability in both Adobe Acrobat and Adobe Reader lies in the JavaScript engine - and can be exploited to execute code.

In what is starting to feel like a case of deja vu, a group of security researchers has announced a JavaScript buffer vulnerability in Adobe's Acrobat range of products – including the free Adobe Reader application.

As reported over on BetaNews, a group of security professionals known as the ShadowServer Foundation has released information on a zero-day attack against Adobe's Acrobat and Reader applications which it claims is currently being exploited in the wild.

The attack is believed to have been first discovered by researcher Matt Richard, who provided the ShadowServer group with a sample of the malicious code. The group claims that Adobe is “aware of this issue and [is] actively working to address it,” which is backed up by the speed with which Adobe has been able to respond to the research.

Although Adobe is aware of the vulnerability – and the fact that it is being actively exploited – a patch for the flaw is not expected until the 11th of March. In the meantime, it is recommended that the in-built JavaScript engine – which is enabled by default in both the Acrobat Professional PDF editor and the free Adobe Reader package – is switched off via the Preferences menu.

The flaw is similar to one patched back in June, which also allowed maliciously-crafted PDF files to execute code via an overflow in the JavaScript engine, and another in the Flash Player application from the same company a month earlier than that.

Will you be switching JavaScript off until Adobe has this bug licked, or is this one flaw too many for you to keep using the company's products on your PC? Share your thoughts over in the forums.


Discuss in the forums Reply
rakeshb03 23rd February 2009, 14:40 Quote
if i have to make a choice for only reading a PDF file i always prefer to use Foxit Reader as it is very handy but to edit and create a new one i use Adobe Acorbat. Though the risk is seems to be very minimal but as for precaution I will turnoff Javascript option.

my weblog
Nicb 23rd February 2009, 18:59 Quote
I use Foxit Reader as well and creating PDFs I use PDFCreator. I used Adobe up to ver.7 Pro. But its so bloated taking up 2gs I think,... at least over 1g. When you have programs the size of a few mb that get the job done....... What are you going to do? Simplify. I found it just easier in life to beef up security as best you know how, but more importantly use great freeware that the majority don't use and are less common to be attacked.
nitrous9200 24th February 2009, 00:43 Quote
When we do OS reinstalls for customers, we install Adobe Reader (I install the unofficial Lite version, which loads a lot faster and doesn't install all of the other included apps) but I use Foxit on all of my systems: it does the same simple task while using many times less disk space. Foxit's other PDF creation apps are also ridiculously cheap. As a matter of fact, I was looking at the prices for the new CS4 apps...god they're expensive!
Log in

You are not logged in, please login with your forum account below. If you don't already have an account please register to start contributing.

Discuss in the forums