Exploits plague Adobe Reader and Acrobat

In response, Adobe releases a new version of both Acrobat and Reader.

Robert Vamosi Former Editor

As CNET's former resident security expert, Robert Vamosi has been interviewed on the BBC, CNN, MSNBC, and other outlets to share his knowledge about the latest online threats and to offer advice on personal and corporate security.

See full bio

Robert Vamosi

Feb. 11, 2008 1:28 p.m. PT

2 min read

Over the weekend, security vendor iDefense reported three specific exploits affecting a fully patched version of Adobe Acrobat and Reader 8.1 running on Windows. In each of the cases, the attacker would need to have the users open a specially crafted PDF file delivered via an e-mail attachment or linked from a Web site. In response, Adobe has released a security update, Adobe Acrobat and Reader 8.1.2.

The Adobe Reader and Acrobat JavaScript insecure method exposure vulnerability affects users of Adobe Reader 8.1 on Windows XP SP2 and is to be further detailed in CVE-2007-5663. According to iDefense, "an insecure method exposed by the JavaScript library in Adobe Reader and Acrobat could allow an attacker to execute arbitrary code on a compromised machine. One of the methods exposed allows direct control over low level features of the object, which in turn allows execution of arbitrary code. In order to exploit this vulnerability, an attacker would have to convince the targeted user to open a maliciously constructed file."

The Adobe Reader and Acrobat Multiple Stack-based Buffer Overflow Vulnerabilities also affects users of Adobe Reader 8.1 on Windows XP SP2 and is to be detailed in CVE-2007-5659. According to iDefense, "exploitation of multiple stack-based buffer overflows in JavaScript methods in Adobe Reader and Acrobat could allow an attacker to execute arbitrary code as the current user. In order to exploit these vulnerabilities, an attacker would have to convince a targeted user to open a maliciously constructed file."

The Adobe Reader Security Provider Unsafe Libary Path Vulnerability affects users of Adobe Reader 8.1 installed on both Windows XP and Windows Vista and is to be detailed in CVE-2007-5666. According to iDefense, "an unsafe library path vulnerability in Adobe Systems' Adobe Reader may allow attackers to execute arbitrary code as the current user. Exploitation allows an attacker to execute arbitrary code as the user that started the application. To exploit this vulnerability, the attacker must convince the targeted user to open a PDF from a directory under their control."

In response, Adobe has issued an update for Adobe Reader and Acrobat 8.01. An update for Adobe Reader and Acrobat 7.0.9 is not currently available, although Adobe said it does plan to release one later.