Abobe fixes critical .pdf flaws

Adobe Reader 8 fixes flaws attackers could exploit to launch cross-site-scripting (XSS) attacks. The flaws relate to errors in how the program handles .pdf files.

Adobe Systems Inc. has released an update that fixes critical flaws in its popular .pdf viewer that came to light last week, as well as additional flaws reported in recent days.

The update fixes a cross-site scripting (XSS) flaw in versions 7.0.8 and earlier of Adobe Reader and Acrobat that could allow remote attackers to inject arbitrary JavaScript into a browser session, the vendor said in its advisory.

Security vendors like Symantec Corp. issued urgent alerts regarding this flaw, calling it significant and easily exploitable, since Adobe Reader is used by a large segment of the computing population to view .pdf files.

The update also fixes additional flaws reported earlier this week by researcher Piotr Bania.

"Additional vulnerabilities have been identified in versions 7.0.8 and earlier of Adobe Reader and Acrobat that could allow an attacker who successfully exploits these vulnerabilities to take control of the affected system," Adobe said of Bania's discoveries. "A malicious file must be loaded in Adobe Reader by the end user for an attacker to exploit these vulnerabilities."

In its analysis of Bania's research, Danish vulnerability clearinghouse Secunia said the problem is an unspecified error that surfaces when the viewer processes .pdf files. "This can be exploited to cause a heap corruption and may allow execution of arbitrary code when a specially-crafted .pdf file is opened," Secunia said.

Adobe urged users to upgrade to version 8 to address the problems.

Read more on IT risk management