Adobe Patches Acrobat, Reader for Zero-Day Flaw

With the PDF format pervasive across the Web, Adobe’s Acrobat and Acrobat Reader apps also remain among the most commonly found software, being the most popular ways to interact with PDFs, a format that Adobe originated. But for the last two months, Acrobat users have been at risk from a vulnerability that potentially could enable an attacker to take over a system.

That issue is now solved — almost.

Late on Tuesday, Adobe (NASDAQ: ADBE) issued a patched version of Reader and Acrobat version 9 for Windows and Apple Macs, updating both to version 9.1. Linux and Unix users of Adobe’s Reader and Acrobat are still without a patch, however.

Additionally, Adobe has not issued a simultaneous update for earlier versions of Reader or Acrobat on any platform.

“Adobe is planning to make available updates for Adobe Reader 7 and 8, and Acrobat 7 and 8, by March 18,” Adobe stated in its advisory. “In addition, Adobe plans to make available Adobe Reader 9.1 for Unix by March 25.”

An Adobe spokesperson was not immediately available for comment.

Adobe describes the zero-day flaw in its advisory as triggering an application crash that could potentially enable an attacker to take control of users’ systems. Adobe also added that there are reports that the vulnerability is being exploited.

Security firm Secunia describes the flaw in more detail, indicating that it’s related to a JavaScript function call and possibly an embedded JBIG2 image stream. Secunia also said the Trojan.Pidief.E malware has been able to exploit the flaw.

One potential workaround that had been suggested by Adobe was to disable JavaScript in Reader and Acrobat. It’s a solution that might be a good idea to consider making standard practice, according to at least one security researcher.

“Given that JavaScript in Adobe Acrobat has its own share of vulnerabilities in the past, it seems reasonable to turn it off by default,” Wolfgang Kandek, CTO at security vendor Qualys, told “I have now been running without JavaScript in my Adobe Reader for months and I have not noticed any adverse effects in my typical office oriented usage. In my opinion this is now becoming a best-practice security setting that should only be relaxed based on end-user needs.”

Though Kandek found a workaround, and vendors like Qualys and others have provide protection against the flaw, he said he still remained critical about the length of time it took Adobe to issue a patch.

“Adobe was first notified of the problem in January and has been working for the last two months to develop and test the patch, and is finally ready to get it out to its users,” Kandek said. “Two months seems to be a rather long time to address the issue and it makes me wonder whether Adobe has a setup to react to security flaws in an out-of-band manner, rather than through normal product cycles.”

“Vulnerabilities of such magnitude need to be handled by a dedicated team that has the resources to quick develop and deploy a fix,” he added.

The previous Adobe Reader updates came in November 2008 and also dealt with a number of JavaScript-related issues.

News Around the Web