Adobe Reader 7.0.9 closes security holes
Until recently, Adobe was telling users to switch to version 8 of its Reader instead of closing the security holes in the version 7 that are no longer contained in version 8. However, a number of users were not able to switch to this later version for reasons of compatibility, among others, forcing Adobe to release version 7.0.9 as a download.
In addition to the security holes in the browser plug-ins already made public, that allow attackers to use manipulated e-mails or websites to conduct cross-site scripting or denial-of-service attacks, among other things, version 7.0.9 also closes a previously unknown hole that Piotr Bania has now made public. This recently discovered vulnerability allows attackers to use prepared PDF documents to inject and execute malicious code in the Windows and Linux versions of Reader 7.0.8 and earlier versions.
Bania has refrained from providing a demonstration exploit because he believes the hole is too severe. Users of Adobe Reader or Adobe Acrobat who have not yet been able to upgrade to version 8 should at least switch to version 7.0.9 as soon as possible.
- Adobe Reader Remote Heap Memory Corruption - Subroutine Pointer Overwrite, Piotr Bania's security advisory
- Download version 7.0.9 of the Reader
- Update available for vulnerabilities in versions 7.0.8 and earlier of Adobe Reader and Acrobat, Adobe's security advisory