Adobe Systems Inc. has released an
update that fixes critical flaws in its popular .pdf viewer
that came to light last week, as well as additional flaws reported
in recent days.
The update fixes a
cross-site scripting (XSS) flaw in versions 7.0.8 and earlier
of Adobe Reader and Acrobat that could allow remote attackers to
inject arbitrary JavaScript into a browser session, the vendor said
in its advisory.
Security vendors like Symantec Corp.
issued urgent alerts regarding this flaw, calling it
significant and easily exploitable, since Adobe Reader is used by a
large segment of the computing population to view .pdf files.
The update also fixes additional
flaws reported earlier this week by researcher Piotr Bania.
"Additional vulnerabilities have been identified in versions
7.0.8 and earlier of Adobe Reader and Acrobat that could allow an
attacker who successfully exploits these vulnerabilities to take
control of the affected system," Adobe said of Bania's discoveries.
"A malicious file must be loaded in Adobe Reader by the end user
for an attacker to exploit these vulnerabilities."
In its analysis of Bania's
research, Danish vulnerability clearinghouse Secunia said the
problem is an unspecified error that surfaces when the viewer
processes .pdf files. "This can be exploited to cause a heap
corruption and may allow execution of arbitrary code when a
specially-crafted .pdf file is opened," Secunia said.
Adobe urged users to upgrade to version 8 to address the
problems.