Adobe Reader and Acrobat contain multiple security flaws attackers could exploit to execute malicious commands on victims' computers, the French Security Incident Response Team (FrSIRT) warned in an advisory. No patch is available yet, but the vendor has released a workaround.
FrSIRT said memory corruption errors exist in the AcroPDF ActiveX control, also known as AcroPDF.dll. Because of this, the application mishandles malformed arguments passed to the "setPageMode()", "setLayoutMode()", "setNamedDest()", and "LoadFile()" methods. Attackers could exploit this to execute arbitrary commands by tricking the user into visiting a specially crafted Web page with Internet Explorer.
Adobe acknowledged the existence of the flaws in an advisory, saying, "These vulnerabilities would cause the application to crash and could potentially allow an attacker to take control of the affected system."
The problems affect Adobe Reader 7.0.0 through 7.0.8 and Adobe Acrobat Standard and Professional 7.0.0 through 7.0.8 on the Windows platform when using Internet Explorer. Users of other browsers are not affected, Adobe said.
"The Secure Software Engineering team is working with the Adobe Reader Engineering team on an update to Adobe Reader and Acrobat 7.0.8 that will resolve these issues, which is expected to be available in the near future," the vendor said. A security bulletin will be published on the Adobe Web site once a fix is available.
Adobe said the following workaround will prevent exploits from occurring:
- Exit Internet Explorer and Adobe Reader.
- Browse to
:Program FilesAdobeAcrobat 7.0ActiveX. [If Acrobat is not installed to the default location, browse to the location of the Acrobat 7.0 folder.]
- Select AcroPDF.dll and delete it.