RSSAdobe Acrobat JavaScript flaw exploit in the wild
By Ed Oswald | Published June 24, 2008, 11:57 AM
Computer researchers at Johns Hopkins University have discovered a flaw within most recent version of Adobe's Reader and Acrobat software applications that could allow hackers to take control of vulnerable systems.
"Adobe categorizes this as an critical issue and recommends affected users update their installations," Adobe said in an advisory today.
There are reports that the exploit is in the wild, which both Adobe and security firm Secunia appear to be taking seriously.
The problem affects Acrobat and Reader versions 7.0.9 and earlier, as well as versions 8.0 through 8.1.2. Adobe disclosed the vulnerability on Monday in conjunction with the release of a security update for the current version, which is 8.1.2.
Users of version 7.1 are not affected by the vulnerability, and Adobe says Acrobat and Reader 9 which are due out in July are also immune.
According to a security bulletin by SecurityFocus, user input is not sanitized correctly. Essentially, an attacker could launch code remotely, which would in turn allow him to take control of an affected system.
More specifically, the problem is related to an input validation issue with JavaScript usage in either product. Indeed, JavaScript can be embedded in PDF files, so a JavaScript problem need not necessarily be browser-based.
SecurityFocus said the issue could be related to another earlier reported flaw late last month which involved a remote denial-of-service issue. At the time it was not known if code execution would be possible. That flaw affected similar versions of Adobe Reader.
Noscript extension for Firefox = awesome
Also I still hate PDF for being a proprietary format.
Score: 0
|http://www.adobe.com/sup...s/detail.jsp?ftpID=3967
Score: 0
|I just tried this patch and it doesn't do anything after install. Doesn't show up in add/remove programs either...
Score: 0
|Adobe is calling this "Security Update 1" and leaving the product version at 8.1.2, so the existing Add/Remove entry for 8.1.2 is all that you will see. You cannot remove SU1 without removing 8.1.2 completely. You can tell that SU1 is installed by looking at the value named VersionSU in the registry key HKLM\SOFTWARE\Adobe\Adobe Acrobat\8.0\Installer and/or HKLM\SOFTWARE\Adobe\Adobe Reader\8.0\Installer (depending on whether you've got full Acrobat and/or the Reader). The value will be missing if SU1 is not installed, or 1 if installed. Presumably, it could be bumped to 2 if they do another SU for 8.1.2.
The Annots.api file (a plug-in) is updated to build 215 (version 8.1.2.215). This is the only real change to the application code. There are some other changes made to your system by the patch but their purpose is just to adjust the Windows Installer database so that a "repair" will not revert Annots.api to the vulnerable release.
Score: 0
|Sloppy. Why no confirmation of the patch? It just disappears...
Score: 0
|What do you want? It requires a click to dismiss the dialoge box after install. And the previous poster gave you instructions on how to verify.
Score: 0
|I don't understand why they didn't just bump the version to 8.1.3 (even for this small fix) - far less confusing, and it hints to 8.1.2 users that they're not "up-to-date".
Score: 0
|Well, As I suspected the update is broken. After I apply it Acrobat still wishes to update using the auto-update mechanism.
Score: 0
|"Adobe categorizes this as an critical issue and recommends affected users update their installations," Adobe said in an advisory today."
It an critical. They has fail!
Also: what security update? Doesn't seem to be available through the update feature in Adobe Reader.
Score: 0
|yes adobe is very clearly a cat with a slice of american cheese on its head.
Score: 0
|LOL
CAT
/please excuse me
Score: 0
|I can't help Adobe's grammar is bad, I quote it as we see it. But we will edit their grammar just for you Paul. :)
Score: 0
|It is as of 7:40 PM PT.
Score: 0
|