05 November 2008, 09:37

Several critical holes closed in Adobe Reader 8 and Acrobat 8

Adobe has released version 8.1.3 of Adobe Acrobat and the free Acrobat Reader to close eight security holes. Some of the holes allow attackers to inject code into a system and execute it via specially crafted PDF documents. The current versions 9.x of Acrobat and Reader for Windows and Mac are not affected. Therefore, Mac and Windows users can either switch to version 9 or update to 8.1.3.

8.1.3, however, is the only version available for Linux, Solaris and HP-UX users, as version 9 won't be released for these systems in the foreseeable future. At the Adobe download center, users can choose between the various versions. Those who can neither upgrade, nor update for some reason, should disable the JavaScript support in Reader and Acrobat.

The vulnerabilities are caused by flawed JavaScript processing. One of the flaws causes JavaScript embedded in a PDF file with format strings containing floating point specifiers to be incorrectly checked. A buffer overflow may occur in the util.printf() function as a result, allowing code to be injected into the application's stack and executed at the user's privilege level.

Interestingly, several security service providers found this hole approximately at the same time. It is, however, likely that they followed up on a very similar hole closed about five months ago in the alternative Foxit Reader. An overflow can also be caused by loading specially crafted fonts. Furthermore, another unspecified flaw can reportedly trigger a memory leak.

Users should not hesitate to install the current versions, although no public exploits have so far been identified. If three service providers found this problem independently of each other, it is likely that criminals are also aware of the hole.

See also: