Adobe patches zero-day bugs in Reader, Acrobat
Published: 13 May 2009 17:51 BST
Adobe has updated Adobe Reader and Adobe Acrobat to fix a serious JavaScript flaw affecting Windows, Mac, Linux and Unix, after code to exploit the bug was released on the internet.
As promised, the company sent out a security advisory on Tuesday with fixes for the vulnerability, and also patched a second flaw affecting Unix only. Security firm Secunia gave the flaws a "highly critical" ranking.
Adobe acknowledged that proof-of-concept code was circulating for the flaws on 27 April. The code was first released on the Linux security website Packetstorm.
However, Adobe said in a blog post on Tuesday that it was not aware of any attacks actively exploiting the proof-of-concept code.
Both bugs could be exploited via a specially crafted PDF file to crash the affected applications or take control of a user's system, Adobe said in its advisory.
The first bug, affecting the broader range of platforms, involves the way Reader and Acrobat process calls to the JavaScript method "getAnnots()", and can be used to corrupt memory, according to Adobe.
The second bug, affecting only Unix, involves the way calls to the "customDictionaryOpen()" JavaScript method are processed.
The bugs affect Reader 9.1 and Acrobat 9.1, as well as earlier versions, Adobe said. The company has fixed the issues in Acrobat and Reader versions 9.1.1, 8.1.5 and 7.1.2. The updates are available via Adobe's advisory.
For those unable to update, the company recommended turning off JavaScript in the affected applications.
Did you find this article useful?
4 out of 4 people found this useful
Digg
Slashdot
Del.ici.ous
Stumble
Reddit
Full Talkback thread
1 comment
