Login:
Password:
Lost Password?
Print this article  |  E-mail this article  |  Comment on this article

Adobe Acrobat JavaScript flaw exploit in the wild

By Ed Oswald, BetaNews

June 24, 2008, 11:57 AM

Computer researchers at Johns Hopkins University have discovered a flaw within most recent version of Adobe's Reader and Acrobat software applications that could allow hackers to take control of vulnerable systems.

"Adobe categorizes this as an critical issue and recommends affected users update their installations," Adobe said in an advisory today.

There are reports that the exploit is in the wild, which both Adobe and security firm Secunia appear to be taking seriously.

The problem affects Acrobat and Reader versions 7.0.9 and earlier, as well as versions 8.0 through 8.1.2. Adobe disclosed the vulnerability on Monday in conjunction with the release of a security update for the current version, which is 8.1.2.

Users of version 7.1 are not affected by the vulnerability, and Adobe says Acrobat and Reader 9 which are due out in July are also immune.

According to a security bulletin by SecurityFocus, user input is not sanitized correctly. Essentially, an attacker could launch code remotely, which would in turn allow him to take control of an affected system.

More specifically, the problem is related to an input validation issue with JavaScript usage in either product. Indeed, JavaScript can be embedded in PDF files, so a JavaScript problem need not necessarily be browser-based.

SecurityFocus said the issue could be related to another earlier reported flaw late last month which involved a remote denial-of-service issue. At the time it was not known if code execution would be possible. That flaw affected similar versions of Adobe Reader.

Add a Comment (13 Comments)

BetaNews reserves the right to remove any comment at any time for any reason. Please keep your responses appropriate and on topic. Foul language and personal attacks will not be tolerated.

Name (required):

E-mail (required):

Enter Your Comment:

By Scary Guy

posted Jun 25, 2008 - 1:25 PM

Noscript extension for Firefox = awesome

Also I still hate PDF for being a proprietary format.

Score: 0

By mjm01010101

posted Jun 24, 2008 - 1:44 PM

http://www.adobe.com/sup...s/detail.jsp?ftpID=3967

Score: 0

By mjm01010101

posted Jun 24, 2008 - 1:48 PM

I just tried this patch and it doesn't do anything after install. Doesn't show up in add/remove programs either...

Score: 0

By spiked

posted Jun 24, 2008 - 6:17 PM

Adobe is calling this "Security Update 1" and leaving the product version at 8.1.2, so the existing Add/Remove entry for 8.1.2 is all that you will see. You cannot remove SU1 without removing 8.1.2 completely. You can tell that SU1 is installed by looking at the value named VersionSU in the registry key HKLM\SOFTWARE\Adobe\Adobe Acrobat\8.0\Installer and/or HKLM\SOFTWARE\Adobe\Adobe Reader\8.0\Installer (depending on whether you've got full Acrobat and/or the Reader). The value will be missing if SU1 is not installed, or 1 if installed. Presumably, it could be bumped to 2 if they do another SU for 8.1.2.

The Annots.api file (a plug-in) is updated to build 215 (version 8.1.2.215). This is the only real change to the application code. There are some other changes made to your system by the patch but their purpose is just to adjust the Windows Installer database so that a "repair" will not revert Annots.api to the vulnerable release.

Score: 0

By mjmarshall

posted Jun 25, 2008 - 1:34 AM

I don't understand why they didn't just bump the version to 8.1.3 (even for this small fix) - far less confusing, and it hints to 8.1.2 users that they're not "up-to-date".

Score: 0

By mjm01010101

posted Jun 24, 2008 - 9:11 PM

Sloppy. Why no confirmation of the patch? It just disappears...

Score: 0

By pnutts

posted Jun 24, 2008 - 10:40 PM

What do you want? It requires a click to dismiss the dialoge box after install. And the previous poster gave you instructions on how to verify.

Score: 0

By mjm01010101

posted Jun 25, 2008 - 1:11 PM

Well, As I suspected the update is broken. After I apply it Acrobat still wishes to update using the auto-update mechanism.

Score: 0

By Paul Skinner

edited Jun 24, 2008 - 12:08 PM

"Adobe categorizes this as an critical issue and recommends affected users update their installations," Adobe said in an advisory today."

It an critical. They has fail!

Also: what security update? Doesn't seem to be available through the update feature in Adobe Reader.

Score: 0

By pnutts

posted Jun 24, 2008 - 10:41 PM

It is as of 7:40 PM PT.

Score: 0

By Paradise-FH-

posted Jun 24, 2008 - 3:57 PM

yes adobe is very clearly a cat with a slice of american cheese on its head.

Score: 0

By Paul Skinner

posted Jun 24, 2008 - 4:12 PM

LOL
CAT

/please excuse me

Score: 0

By eoswald

posted Jun 24, 2008 - 5:13 PM

I can't help Adobe's grammar is bad, I quote it as we see it. But we will edit their grammar just for you Paul. :)

Score: 0

Nov 21 - 6:51 PM ET Coalition urges better laws for e-mail and cell phone privacy

Nov 21 - 6:42 PM ET How is Internet advertising faring in this bad economy?

Nov 21 - 6:15 PM ET From out of the Amazon Cloud, an AWS winner emerges

Nov 21 - 5:20 PM ET Mufin music finder enters public beta, adds widgets

Nov 21 - 5:01 PM ET Google launches its SearchWiki semantics plug-in

Nov 21 - 4:57 PM ET Asus previews a slimmer, less costly Eee PC

Nov 21 - 4:32 PM ET New Adobe Media Player ushers in AIR 1.5

Nov 21 - 2:11 PM ET AT&T to add Pantech's low-cost C630 phone to 3G lineup

Nov 21 - 1:11 PM ET iPhone gets firmware 2.2 update

Nov 21 - 11:51 AM ET The Dell surprise: Higher earnings on lower revenue