Adobe closes critical Acrobat and Reader holes
As promised last week, Adobe has released security updates that patch several security flaws in its Adobe Reader and Acrobat products. The updates fix a recently announced critical buffer overflow in the JavaScript function getAnnots()
that could be used by an attacker to crash either application and potentially allow them to take control of the affected system. For an attack to be successful the user must first open a specially crafted malicious PDF document. Version 9.1.1, 8.1.5 and 7.1.2 of Adobe Reader and Acrobat fix the problem.
The UNIX version update closes a second hole in the JavaScript functionality where the customDictionaryOpen
method can be manipulated to cause a denial of service or execute arbitrary code. Adobe Reader 9.1.1 for UNIX corrects the vulnerability.
All users that have not yet updated, are advised to do so. The updates are available to download for Windows, Mac and UNIX.
See also:
- Security Updates available for Adobe Reader and Acrobat, Adobe Security Bulletin.
- Buffer overflow issues in Adobe Reader and Acrobat, Adobe Security Bulletin.
- Demo exploits for new vulnerabilities in Adobe Reader, a report from The H.
- F-Secure advises against using Adobe Reader, a report from The H.
(crve)