Adobe to close Acrobat and Reader holes on May 12
Adobe plans to release a security update for Adobe Reader and Acrobat on the 12th of May. The update will remove the recently announced critical buffer overflow in the JavaScript function getAnnots()
. Attackers could prepare PDF documents which could crash either application and potentially allow them to take control of the affected system. The updates will be available for Windows versions 7.x, 8.x, 9.x and UNIX and Mac versions 8.x and 9.x of Adobe Reader and Acrobat.
The update of the UNIX version will also close a second hole in the JavaScript functionality where the customDictionaryOpen
method can be manipulated to cause a denial of service or execute arbitrary code. Until the release of the updates, Adobe recommends disabling the processing of JavaScript in its products by selecting Edit/Preferences/JavaScript and un-checking the "Enable Acrobat JavaScript" option.
See also:
- Buffer overflow issues in Adobe Reader and Acrobat, Adobe Security Bulletin.
- Demo exploits for new vulnerabilities in Adobe Reader, a report from The H.
- F-Secure advises against using Adobe Reader, a report from The H.
(djwm)