Apr 28 2009

Alert: More Adobe Reader flaws surface

Published by at 21:52 under Alerts,Software Updates

Here we go again.

Security researchers have turned up a couple more vulnerabilities in Adobe Reader (and Adobe Acrobat for those of you running the full, pay-for package). These flaws permit running arbitrary code on a target system without the user’s knowledge. This is triggered by tricking a victim into opening a maliciously crafted, JavaScript-enabled PDF document — typically, an email attachment or a document served up on an infected web site.

First off, ensure Adobe Reader/Acrobat is up to date. This will plug the holes fixed in the last round of updates. Check the Adobe Reader (or Acrobat) version by clicking on the Help menu and then choosing “About…” (If there are two “About” options, use the one that refers to Reader/Acrobat, not the one that says something about plug-ins.) For Reader 9 and Acrobat 9, the version displayed should be 9.1 or later; for Reader/Acrobat 8, it should be at least 8.1.3.

If the program is out of date, the easiest way to fix this is to again select the Help menu, but choose “Check for Updates…” This will download and install the appropriate updates.

For versions older than 8, it’s time to upgrade to the latest release.

Next, disable Adobe Reader/Acrobat JavaScript. Launch the program, click on the Edit menu and select “Preferences…” In the left pane of the Preferences window, choose “JavaScript”; to the right, near the top, un-check (clear) the box labeled “Enable Acrobat Javascript”. Click OK.

Even after this next round of bugs is patched, it is probably best to leave JavaScript disabled. It’s a potential vulnerability and rarely, if ever, used.

One response so far

One Response to “Alert: More Adobe Reader flaws surface”

  1. [...] Adobe is patching Reader/Acrobat to fix yet another problem associated with embedded JavaScript. This issue, as well as a work-around, was discussed in an earlier post here. [...]

Trackback URI | Comments RSS

Leave a Reply