Adobe tackles risky holes in Acrobat, Reader

Software maker issues "highly critical" updates for Reader, Acrobat versions to fix flaws that could allow PC hijacks.

Dawn Kawamoto Former Staff writer, CNET News

Dawn Kawamoto covered enterprise security and financial news relating to technology for CNET News.

Dawn Kawamoto

Jan. 11, 2007 6:35 a.m. PT

Adobe Systems has issued updates to fix security flaws in its Reader and Acrobat software that could allow an attacker to remotely commandeer a computer.

The vulnerabilities affect Adobe Reader and Adobe Acrobat Standard, Professional and Elements versions 7.0.8 and earlier, as well as Adobe Acrobat 3D, Adobe said in its advisory. Secunia rated the Reader flaw as "highly critical."

The version 7.0.9 updates issued Tuesday are designed to address holes that could allow outsiders to gain access to hard-disk drives via a malicious link that targets PDF files on vulnerable computers.

The attackers could then take the compromised system and read and delete files, execute programs and forward information from the computer.

Adobe recommends that Reader users upgrade to Reader 8, the most recent major version, to fix the problem. Those whose computer systems are not compatible, or who do not want to move to version 8 can install Tuesday's 7.0.9 version instead.

That means people will have to do a full installation of a software version to protect their computers. Typically, companies will provide a patch to fix security holes--a less time-consuming process--but Adobe has not done that in this case.

The 7.0.9 update is slightly larger than a patch, an Adobe representative said. The company was already working on the update when it added the security features, so Adobe was able to get out a full installation faster than it would for just a patch, the representative added.