New danger from PDF files
Adobe reports that a hole in its Acrobat and Adobe Reader products is actively being exploited. It appears that the programs do not check the parameters of a JavaScript method adequately. As a result, attackers can use crafted PDF files to execute code at the privilege level of the logged-on user or at least to crash the system. The vendor gives no further details.
Similar holes have often been exploited in the past to deploy malicious software via web pages on a large scale. Only at the beginning of June, F-Secure warned about targeted attacks involving PDF trojans which were sent out via emails.
Versions up to 7.0.9 and versions 8.0 to 8.1.2 of Reader and Acrobat are affected. Adobe has released updated versions which no longer contain the flaw. Due to the imminent danger it is advisable to update immediately.
See also:
- Security Update available for Adobe Reader and Acrobat 8.1.2, Adobe security bulletin
- Web pages infecting PCs via vulnerabilities in Adobe Reader heise Security news
(mba)