Exploits plague Adobe Reader and Acrobat

By Rafe Needleman on 12 February 2008

Over the weekend, security vendor iDefense reported three specific exploits affecting a fully patched version of Adobe Acrobat and Reader 8.1 running on Windows.

In each of the cases, the attacker would need to have the users open a specially crafted PDF file delivered via an e-mail attachment or linked from a Web site. In response, Adobe has released a security update, Adobe Acrobat and Reader 8.1.2.

The Adobe Reader and Acrobat JavaScript insecure method exposure vulnerability affects users of Adobe Reader 8.1 on Windows XP SP2 and is to be further detailed in CVE-2007-5663. According to iDefense, "an insecure method exposed by the JavaScript library in Adobe Reader and Acrobat could allow an attacker to execute arbitrary code on a compromised machine. One of the methods exposed allows direct control over low level features of the object, which in turn allows execution of arbitrary code. In order to exploit this vulnerability, an attacker would have to convince the targeted user to open a maliciously constructed file."

The Adobe Reader and Acrobat Multiple Stack-based Buffer Overflow Vulnerabilities also affects users of Adobe Reader 8.1 on Windows XP SP2 and is to be detailed in CVE-2007-5659. According to iDefense, "exploitation of multiple stack-based buffer overflows in JavaScript methods in Adobe Reader and Acrobat could allow an attacker to execute arbitrary code as the current user. In order to exploit these vulnerabilities, an attacker would have to convince a targeted user to open a maliciously constructed file."

The Adobe Reader Security Provider Unsafe Libary Path Vulnerability affects users of Adobe Reader 8.1 installed on both Windows XP and Windows Vista and is to be detailed in CVE-2007-5666. According to iDefense, "an unsafe library path vulnerability in Adobe Systems' Adobe Reader may allow attackers to execute arbitrary code as the current user. Exploitation allows an attacker to execute arbitrary code as the user that started the application. To exploit this vulnerability, the attacker must convince the targeted user to open a PDF from a directory under their control."

In response, Adobe has issued an update for Adobe Reader and Acrobat 8.01. An update for Adobe Reader and Acrobat 7.0.9 is not currently available, although Adobe said it does plan to release one later.

E-mail this
Share this...
- del.icio.us
- digg this
- Reddit
- Slashdot
- StumbleUpon
Print this

Join CNET.com.au Free newsletters, post to forums and win prizes. Join now - it's free and easy!

Related links

Adobe Acrobat 8 Professional

For composing long PDF packages at an office that requires security and wants to use the new digital forms, Acrobat 8's got the goods, but it's overkill if you only seek to make short PDF files.
Make your own PDF: Nitro PDF vs. Adobe Acrobat 7.0

To offer print-ready forms, brochures, and booklets on a Web site, you must create documents in the portable document format (PDF).
Glossary of Internet security terms

We've created a glossary of the most common terms relating to Internet security to help CNET.com.au users navigate the dangers from A to Z.
A CNET FAQ on the Kama Sutra worm

There's a computer worm set to damage computer system starting midnight local time on February 3, 2006.

User comments
Leave a comment

Be the first to comment on this article!

Leave a comment

News
Features
Oi!
Popular
Must read

Free Speed: Make your Mac faster

AU$2,000 worth of performance for free? Yes please!
Apple fixes security issues with QuickTime 7.5

Latest QuickTime security updates address security issues that affect Mac and Windows users of the Apple media player.
Cyberattack alert service helps Aussies Stay Smart

The Federal government has launched a new security alert service for small business and home users, aimed at helping Australians protect themselves from cyberattack.
Bosses can snoop on staff e-mails 'to fight terror'

The Greens and privacy advocates have hit back against proposed laws to allow companies to snoop on their workers' e-mails, but Deputy Prime Minister Julia Gillard has said the laws are needed to protect vital electronic infrastructure from terrorist attacks.
'Lighter' Norton 360 V2.0 takes aim at the Web

"Lighter" is the key word Symantec hopes customers will feel when installing Norton 360 version 2.0, which is the company's security and backup system for small business and home users that was launched today.
AFL teams a danger on the Web: Google

Google has flagged the Web sites of 10 AFL clubs as potentially dangerous, preventing visitors from accessing the teams' sites via the search engine.
Secure Internet stored in your pocket

CSIRO scientists have developed a device that will allow people to work on any computer without having to worry about whether it contains Internet viruses or trojans.
Exploits plague Adobe Reader and Acrobat

In response to three specific exploits, Adobe releases a new version of both Acrobat and Reader.
Apple updates iPhoto 7.1.2 with a security fix

A new security update is available for Mac OS X users running the program that's part of iLife 08.

More news »

St Patrick's Day downloads

Get into the March 17 spirit with this collection of Irish-themed downloads.
Microsoft TechFest 2008: A glimpse into the future

Each year Microsoft holds its Techfest show, an exhibition of some of the research projects it's working on. CNET.com.au went to check out where the future lies.
The secure Mac: myth or legend?

Apple computers have built a solid reputation on being virus-free, but is the reality different from the image?
Five net nasties and how to avoid them

From fraudster frogs on Facebook to dodgy music downloads: we look at five ways your data can be compromised online and how to stay safe from the scamsters.
Photos: Apple unveils new iMacs

Steve Jobs shows off sleek desktops and a big upgrade to its home media suite, especially the iMovie app.
Best free Windows Mobile software

You dig your Windows Mobile device, but you'll love it more when it's loaded up with free software for entertainment, security and work. Find the best and brightest free downloads for your faithful handheld.
Plan the perfect wedding

We can't banish those pesky in-laws, but this collection of software can help ease those wedding planning blues.
CNET 2007 antivirus performance test scores

We hit the CNET Labs to compare the performance of antivirus apps.
Spyware Central: Glossary

Definitions for commonly used spyware terms.

More features »

Oi!: Brand Tags' clouds cut through marketing hype

CEOs and marketing types talk about improving or maintaining "brand values" all the time. But what do we really think of the companies that deliver us our modern existence? The site Brand Tags is attempting to find out.
Oi!: Norton AntiVirus gets a spotty update

Symantec has released Norton AntiVirus 11 for Mac OS X Leopard.
Oi!: Norton 360 -- old dog with new tricks

While it remains to be seen whether or not customers will embrace the higher than average cost for extra features, for users after a total security package, Norton 360 certainly offers something new in a market full of old dogs.
Oi!: Soccer stats and more...

QlikTech's launched a Web-based analysis tool with info on all the World Cup teams and players, including goals, penalties, team rosters and more.

More oi! »

Best free Windows Mobile software

You dig your Windows Mobile device, but you'll love it more when it's loaded up with free software for entertainment, security and work. Find the best and brightest free downloads for your faithful handheld.
Killer Downloads: Best antivirus software for your home PC

If your PC doesn't have virus protection, you're playing with fire. Jason Parker picks his three favourite antivirus utilities--and one's even free!
Is your PC a drug mule?

Today, criminals are making more money from cybercrime than from drug-related crime. But before you ask what's being done about that, maybe you should see what's running inside your own computer.
10 things to do before installing Vista

Windows Vista's enhanced functionality and snazzy Aero Glass visual effects will demand steeper hardware requirements for the machines you support. Check this list to make sure you cover all the bases before deciding what Vista versions those machines will be able to run.
Playing it safe with Windows Vista

Microsoft wants to sell Web sites and businesses on security checks of customer PCs. That may not go over so well.
Microsoft tries to stop Vista piracy monster

Microsoft has issued an update to Windows Vista that's intended to stop a piracy monster.
Microsoft speeds up phishing shield for IE7

Microsoft has quietly released an update for Internet Explorer that fixes a problem with the browser's phishing shield.
Secure your mobile wireless device

Worried about malware attacks on your mobile device? Discover software and tips to stop gate-crashing spyware, viruses, and thieves in their tracks.
'Storm worm' rages across the globe

"Storm worm", one of the larger Trojan horse attacks in recent years, is baiting people with timely information about a deadly, real-life storm front, security researchers said last week.

Latest reviews
Popular
Editors' choice

Ad-Aware 2008

This year's update to user favourite Ad-Aware is quite a significant overhaul, and the result is faster scan times and a new interface.
AVG Internet Security 8.0

AVG Internet Security 8.0 provides strong protection against malicious Web sites, but its full-system scans sometimes tax system resources and produce false positives.
Sunbelt CounterSpy 2.0

In its first appearance, CounterSpy was the only antispyware product that correctly identified every piece of spyware in our current active-detection test.
Ad-Aware 2007

Lavasoft Ad-Aware 2007 came in dead last in our CNET antispyware testing. Ad-Aware failed to detect half of the test spyware, and unlike nine out of the 10 other antispyware apps we reviewed in December 2007, left behind traces for all but one spyware.
Norton Internet Security 2008

While Symantec's protection is solid, the overall user experience within Norton Internet Security 2008 could be much, much better. Not all the features work together and use fewer system resources.

More reviews »

Norton 360

For home and student use, we think Norton 360 represents the best value for ease of use, tools offered, and overall system performance.
Norton Internet Security 2008

While Symantec's protection is solid, the overall user experience within Norton Internet Security 2008 could be much, much better. Not all the features work together and use fewer system resources.
System Mechanic 7 Professional

System Mechanic 7 Professional goes beyond its original greatness, morphing a system utility suite into a kind of grand security suite. As such, it comes up short.
McAfee Internet Security Suite 2008

McAfee Internet Security 2008 trounces Norton Internet Security 2008, offering a better designed product with more security tools.
ZoneAlarm Internet Security Suite 7

ZoneAlarm Internet Security Suite 7 provides the perfect balance between best-of-breed security protection and ease of use, providing the home user with superior protection that's light on system resources.

More popular reviews »

Sunbelt CounterSpy 2.0

In its first appearance, CounterSpy was the only antispyware product that correctly identified every piece of spyware in our current active-detection test.
Kaspersky Anti-Virus 7

Kaspersky Anti-Virus 7 continues to outshine its competition with its ease of use combined with thorough antivirus protection.
Norton 360

For home and student use, we think Norton 360 represents the best value for ease of use, tools offered, and overall system performance.
Kaspersky Anti-Virus 6

Kaspersky Anti-Virus 6 is light and fast and consistently wins detection awards against the competition; it's worthy of our Editors' Choice designation.
ZoneAlarm Internet Security Suite 6.5

In the boldest security-software move we've seen, ZoneAlarm Internet Security Suite 6.5 has partnered with an identity management solutions provider to provide both offline and online identity-theft protection, making this suite well worth the price.

More editors' choice »

Membership benefits

Contact community members

Add friends or tech gurus to you contacts and send them messages. Sign up for a free CNET.com.au membership now!

Exploits plague Adobe Reader and Acrobat

Adobe Acrobat 8 Professional

Make your own PDF: Nitro PDF vs. Adobe Acrobat 7.0

Glossary of Internet security terms

A CNET FAQ on the Kama Sutra worm

What do you think

News

Features

Oi!

Popular

Must read

20 essential free downloads

Spyware central

Create your own podcast

Parents' guide to online safety

How to avoid scams

Surf securely

Find the right software

Latest reviews

Popular

Editors' choice

Membership benefits

News & reviews

Latest forum posts

Subscribe to CNET.com.au

Services

Exploits plague Adobe Reader and Acrobat

What do you think

document.write('<a href="javascript:void(0)">') <a href="#tab-news-latest-content"> News

document.write('<a href="javascript:void(0)">') <a href="#tab-news-features-content"> Features

document.write('<a href="javascript:void(0)">') <a href="#tab-news-oi-content"> Oi!

document.write('<a href="javascript:void(0)">') <a href="#tab-news-popular-content"> Popular

document.write('<a href="javascript:void(0)">') <a href="#tab-news-mustread-content"> Must read

Find the right software

document.write('<a href="javascript:void(0)">') <a href="#tab-reviews-latest-content"> Latest reviews

document.write('<a href="javascript:void(0)">') <a href="#tab-reviews-popular-content"> Popular

document.write('<a href="javascript:void(0)">') <a href="#tab-reviews-edc-content"> Editors' choice

What's hot on CNET.com.au

Services

News

Features

Oi!

Popular

Must read

Latest reviews

Popular

Editors' choice