Demo exploits for new vulnerabilities in Adobe Reader
Demo exploits for two new security holes in Adobe Reader are circulating on the internet. According to the SecurityFocus bug database, versions 9.1 and 8.1.4 of the PDF reader are affected. There is still no official update for the vulnerabilities. The release of the demo exploits significantly increases the likelihood that PDF documents with dangerous malicious code will start showing up and that the vulnerabilities will be exploited on a broad scale.
So far, Adobe has confirmed that all currently supported versions of Adobe Reader (9.1,8.1 and 7.1.1) and earlier are vulnerable. Adobe recommends users disable JavaScript to mitigate the issue. Adobe say they plan to issue updates and will publish a time line for updates "as soon as possible".
Users who want to avoid risks until a bug-free version of the software is available can use alternative PDF viewers and should un-install Adobe Reader for the time being to avoid picking up malware while surfing the net.
See also:
- Adobe Reader 'getAnnots()' Javascript Function Remote Code Execution Vulnerability, SecurityFocus post.
- Adobe Reader 'spell.customDictionaryOpen()' JavaScript Function Remote Code Execution Vulnerability, SecurityFocus post.
- Potential Adobe Reader Issue, Adobe's response.
- Update on Adobe Reader Issue, Adobe's follow up response.
- F-Secure advises against using Adobe Reader, report from The H Security.
(djwm)