Tuesday, June 24, 2008

Adobe Acrobat JavaScript flaw exploit in the wild

Computer researchers at Johns Hopkins University have discovered a flaw within most recent version of Adobe's Reader and Acrobat software applications that could allow hackers to take control of vulnerable systems.

"Adobe categorizes this as an critical issue and recommends affected users update their installations," Adobe said in an advisory today.

There are reports that the exploit is in the wild, which both Adobe and security firm Secunia appear to be taking seriously.

The problem affects Acrobat and Reader versions 7.0.9 and earlier, as well as versions 8.0 through 8.1.2. Adobe disclosed the vulnerability on Monday in conjunction with the release of a security update for the current version, which is 8.1.2.

Users of version 7.1 are not affected by the vulnerability, and Adobe says Acrobat and Reader 9 which are due out in July are also immune.

According to a security bulletin by SecurityFocus, user input is not sanitized correctly. Essentially, an attacker could launch code remotely, which would in turn allow him to take control of an affected system.

More specifically, the problem is related to an input validation issue with JavaScript usage in either product. Indeed, JavaScript can be embedded in PDF files, so a JavaScript problem need not necessarily be browser-based.

SecurityFocus said the issue could be related to another earlier reported flaw late last month which involved a remote denial-of-service issue. At the time it was not known if code execution would be possible. That flaw affected similar versions of Adobe Reader.



  • Mozilla warns of Flash and Silverlight ‘agenda’
  • Apple releases OS X 10.5.3, users report problems
  • Microsoft re-issues one security fix for a Bluetooth hole
  • Microsoft snags key Photoshop developer from Adobe
  •