News

Abobe fixes critical .pdf flaws

Bill Brenner, Senior News Writer
Adobe Systems Inc. has released an update that fixes critical flaws in its popular .pdf viewer that came to light last week, as well as additional flaws reported in recent days.

The update fixes a cross-site scripting (XSS) flaw in versions 7.0.8 and earlier of Adobe Reader and Acrobat that could allow remote attackers to inject arbitrary JavaScript into a browser session, the vendor said in its advisory.

Security vendors like Symantec Corp. issued urgent alerts regarding this flaw, calling it significant and easily exploitable, since Adobe Reader is used by a large segment of the computing population to view .pdf files.

The update also fixes additional flaws reported earlier this week by researcher Piotr Bania.

"Additional vulnerabilities have been identified in versions 7.0.8 and earlier of Adobe Reader and Acrobat that could allow an attacker who successfully exploits these vulnerabilities to take control of the affected system," Adobe said of Bania's discoveries. "A malicious file must be loaded in Adobe Reader by the end user for an attacker to exploit these vulnerabilities."

In its analysis of Bania's research, Danish vulnerability clearinghouse Secunia said the problem is an unspecified error that surfaces when the viewer processes .pdf files. "This can be exploited to cause a heap corruption and may allow execution of arbitrary code when a specially-crafted .pdf file is opened," Secunia said.

Adobe urged users to upgrade to version 8 to address the problems.


Email Alerts

Register now to receive ComputerWeekly.com IT-related news, guides and more, delivered to your inbox.
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
 

COMMENTS powered by Disqus  //  Commenting policy