Adobe Reader suffers zero-day vuln

Adobe Reader suffers zero-day vuln

The latest Adobe Reader vulnerability allows for full remote code execution - and once again exploits a flaw in the JavaScript implementation.

Adobe has found itself under the scrutiny of security researchers with the news that yet another zero-day vulnerability has been discovered in its popular PDF viewer, Reader.

According to an article over on CNet, the vulnerability – caused by an error in the in-built annotation JavaScript function – allows for an attacker to execute code on a target machine when a specially crafted document is open.

As has been the case with other JavaScript vulnerabilities within the Reader package, disabling the scripting engine – from the General Preferences dialogue, under Edit->Preferences->JavaScript – renders the attack inert, at the risk of causing documents which rely on JavaScript being available to function incorrectly.

The team behind the discovery have stated that both Reader 8.1.4 and 9.1 for Linux have been confirmed to suffer from the vulnerability – and it's more than likely that it's a cross-platform issue, affecting other operating systems as well. So far, Adobe has not issued a timescale for when the hole will be patched – beyond a statement saying the company is “currently investigating” the issue and “will have an update once we get more information.

Adobe Reader has had more than its share of JavaScript problems in the past, and it's an issue which the digital ne'er-do-wells are certainly aware of: speaking at the RSA Security conference last week, the chief research officer of security specialist F-Secure Mikko Hypponen claimed that over 47 percent of all targeted attacks his company is aware of this year have been aimed at Acrobat Reader.

While Adobe investigates the issue, it's advisable to disable JavaScript – or switch to a PDF reader with a better security track record.

Should Adobe get its act together and do a full code audit of the Reader software before yet another flaw is discovered in its JavaScript implementation, or are the security researchers simply aiming for the low-hanging fruit? Share your thoughts over in the forums.


Discuss in the forums Reply
Flibblebot 29th April 2009, 10:17 Quote
Maybe I'm being a little dense here, but why would you need JavaScript in a PDF file?
kenco_uk 29th April 2009, 10:20 Quote
I'm assuming it's something to do with the pdf browser plugin.
p3n 29th April 2009, 10:27 Quote
"caused by an error in the in-built annotation JavaScript function"

Javascript is evil!
perplekks45 29th April 2009, 13:04 Quote
Originally Posted by p3n
Javascript is THE evil!
Fixed that for you. ;)
[USRF]Obiwan 29th April 2009, 13:34 Quote
The people who missuses javascript to create 'evil' are to blame.
Log in

You are not logged in, please login with your forum account below. If you don't already have an account please register to start contributing.

Discuss in the forums