Adobe falls down gaping security hole

Adobe classifies bugs as 'critical'

Adobe has acknowledged that recent versions of Reader and Acrobat contain unpatched bugs that could allow attackers to take over Windows systems via Internet Explorer.

The bugs were discovered by security company FrSIRT and reported to Adobe a week ago, the company said in an advisory this week. Both FrSIRT and Adobe classified the bugs as "critical", since they could be exploited by simply luring an Internet Explorer user to a malicious website.

"These vulnerabilities would cause the application to crash and could potentially allow an attacker to take control of the affected system," Adobe says in an advisory.

The bugs affect Adobe Reader 7.0.0 to 7.0.8 and Adobe Acrobat, both Standard and Professional versions, 7.0.0 through 7.0.8 on Windows. More specifically, the bugs affect the AcroPDF ActiveX control, AcroPDF.dll, which runs in Internet Explorer. Explorer is the only browser to use ActiveX, meaning other browsers aren't affected. Acrobat 8 is also unaffected. Adobe's recommended workaround is to delete the AcroPDF.dll file, as outlined in its advisory.

FrSIRT says the bugs involve memory corruption in AcroPDF.dll causing it to improperly handle malformed arguments passed to the "setPageMode()", "setLayoutMode()", "setNamedDest()" and "LoadFile()" methods. Adobe says it is working on a fix, which it hopes to publish on its "in the near future".

Join the newsletter!

Error: Please check your email address.

Tags adobebugsvulnerability

More about Adobe Systems

Show Comments

Market Place

[]