A critical security hole in Adobe Reader could allow an attacker to take control of a computer, according to Core Security Technologies.
The vulnerability affects version 8.1.2 of Reader, Core Security said in a statement issued on Tuesday to coincide with Adobe's planned release of a security update to fix the vulnerability.
An attacker could put malicious code in JavaScript embedded in a PDF and spread that via a website or email. Once the file is opened, the code could manipulate the program's memory allocation pattern and trigger the vulnerability to execute arbitrary code with the privileges of the user.
Damian Frizza, a CoreLabs researcher, discovered the vulnerability in May while he was investigating a similar vulnerability in a different PDF viewer application called Foxit Reader. Core Security immediately reported the new hole to Adobe.
Adobe representatives did not return a call seeking comment on Monday.
The complexity of desktop software increases the chances of applications having bugs that result from the implementation of the software, said Ivan Arce, chief technology officer of Core Security.
"We've seen similar vulnerabilities in JavaScript engines in Adobe software in the past and in other applications," he said. "It's difficult to avoid implementation bugs like this one."
The fact both PDF Readers have the same bug indicates that even though vendors are building products with different technologies and code bases, they ought to check for such bugs in their applications when rival software is found to be vulnerable, Arce said.
Talkback
Here's a timely reminder that it's more than Microsoft applications that need to be patched. A robust heterogenous patch management solution as part of a comprehensive vulnerability management solution, that identifies outstanding vulnerabilities across the entire infrastructure and then automatically remediates them provides an effective operational advantage in mitigating this type of security risk and meeting internal security compliance requirements.