Adobe Acrobat suffers JavaScript flaw

February 23, 2009 // 12:37 p.m.

Tags: #acrobat #acrobat-reader #adobe #buffer-overflow #ecmascript #javascript #patch #pdf #reader #security #shadowserver #vulnerability

In what is starting to feel like a case of deja vu, a group of security researchers has announced a JavaScript buffer vulnerability in Adobe's Acrobat range of products – including the free Adobe Reader application.

As reported over on BetaNews, a group of security professionals known as the ShadowServer Foundation has released information on a zero-day attack against Adobe's Acrobat and Reader applications which it claims is currently being exploited in the wild.

The attack is believed to have been first discovered by researcher Matt Richard, who provided the ShadowServer group with a sample of the malicious code. The group claims that Adobe is “aware of this issue and [is] actively working to address it,” which is backed up by the speed with which Adobe has been able to respond to the research.

Although Adobe is aware of the vulnerability – and the fact that it is being actively exploited – a patch for the flaw is not expected until the 11th of March. In the meantime, it is recommended that the in-built JavaScript engine – which is enabled by default in both the Acrobat Professional PDF editor and the free Adobe Reader package – is switched off via the Preferences menu.

The flaw is similar to one patched back in June, which also allowed maliciously-crafted PDF files to execute code via an overflow in the JavaScript engine, and another in the Flash Player application from the same company a month earlier than that.

Will you be switching JavaScript off until Adobe has this bug licked, or is this one flaw too many for you to keep using the company's products on your PC? Share your thoughts over in the forums.

WEEK IN REVIEW

TOP STORIES

SUGGESTED FOR YOU