Adobe Issues Patch for PDF-related Vulnerability

By Scott M. Fulton, III, BetaNews

October 22, 2007, 4:01 PM

It ended up not being Adobe's problem to begin with anyway: a vulnerability that enabled JavaScript code within a specifically crafted URL to run unchecked, and launch any executable code. When Petko D. Petkov of GNUCitizen.org discovered the problem, it appeared to have been directly triggered by Adobe Acrobat or Adobe Reader.

As it turned out, Windows XP and Internet Explorer 7 have a little difficulty with parsing filenames that contain percent signs (%). A maliciously crafted URL that points to a PDF file can have XP launch executable code after it launches the reader for the PDF file. While it wasn't Acrobat or Reader that triggered the launch, a fix from Adobe issued today purports to thwart the launch, keeping the system secure.

BetaNews downloaded and tested Adobe's 8.1.1 patch for Acrobat Professional, with a proof-of-concept URL that we had seen previously load the Windows Calculator as proof it could launch any code without security checks. Now the application instead pulls up a dialog box, which reads, "Acrobat does not allow connection to: mailto:test%../../../../../../../../windows/system32/calc.exe".cmd"

Today's updates work with version 8 of the reader software. In its advisory to users today, Adobe said a future update will be made available for version 7.