Security threats Toolkit

PDF reader flaw fixed

Tags:
Security,
PDF,
Patch,
Adobe

Joris Evers CNET News

Published: 13 Jul 2006 09:45 BST

Adobe Systems joined Microsoft on "Patch Tuesday" and delivered fixes for two security flaws in the ubiquitous Adobe PDF reader software.

The vulnerabilities affect Adobe's Acrobat and Reader software for both the Windows operating system and Apple's Mac OS, Adobe said in two separate security advisories. If left unpatched, the flaws could put Windows and Mac users at risk of a cyberattack.

Adobe's fixes came on the same day that Microsoft issued seven security bulletins with updates to repair 18 vulnerabilities in Windows and Office, including what security experts deem a dangerous Windows worm hole.

The most serious of the two Adobe flaws is a "buffer overflow" vulnerability that affects Adobe Acrobat 6.0.4 and earlier for both Windows and Mac OS, Adobe said. The company categorises this as a "critical" update and recommends computer users update to version 6.0.5.

An attacker could exploit the vulnerability by crafting a malicious PDF (Portable Document Format) file. Opening that file could cause a complete compromise of the vulnerable PC or cause Acrobat to crash.

Buffer overflows are a commonly exploited security problem. They occur when a program allows data to be written beyond the allocated end of a buffer in memory. A computer can be made to execute potentially malicious code by feeding in extra data that is designed to flood the buffer.

The second flaw Adobe has fixed affects version 6.0.4 and earlier of Adobe Reader and Adobe Acrobat, but only on Mac OS. File and folder permissions for the applications could permit non-privileged users to change key program files on the Apple operating system, Adobe said in its security alert.

"This condition presents a risk for shared, multiuser systems," Adobe said. "On such systems, a hostile unprivileged user could take advantage of this condition to replace these program files with malicious or harmful code that could read, write or destroy sensitive data if subsequently run by a privileged user."

Adobe recommends that people use the automatic update facility in its applications to install version 6.0.5 or download and install the update from the Adobe Web site.