Adobe has updated Adobe Reader and Adobe Acrobat to fix a serious JavaScript flaw affecting Windows, Mac, Linux and Unix, after code to exploit the bug was released on the internet.
As promised, the company sent out a security advisory on Tuesday with fixes for the vulnerability, and also patched a second flaw affecting Unix only. Security firm Secunia gave the flaws a "highly critical" ranking.
Adobe acknowledged that proof-of-concept code was circulating for the flaws on 27 April. The code was first released on the Linux security website Packetstorm.
However, Adobe said in a blog post on Tuesday that it was not aware of any attacks actively exploiting the proof-of-concept code.
Both bugs could be exploited via a specially crafted PDF file to crash the affected applications or take control of a user's system, Adobe said in its advisory.
The first bug, affecting the broader range of platforms, involves the way Reader and Acrobat process calls to the JavaScript method "getAnnots()", and can be used to corrupt memory, according to Adobe.
The second bug, affecting only Unix, involves the way calls to the "customDictionaryOpen()" JavaScript method are processed.
The bugs affect Reader 9.1 and Acrobat 9.1, as well as earlier versions, Adobe said. The company has fixed the issues in Acrobat and Reader versions 9.1.1, 8.1.5 and 7.1.2. The updates are available via Adobe's advisory.
For those unable to update, the company recommended turning off JavaScript in the affected applications.
Talkback
It is important to recognise that historically, popular applications and files like Adobe PDF files or even Word, Excel or PowerPoint files have been great vehicles for targeted attacks because those attachments are so socially acceptable and are simply expected attachments within corporate email. We now live in an environment where compromised applications have become a delivery mechanism for additional downloaded and executed malware such as key-loggers and rootkits. The most effective risk mitigation, therefore, continues to be lumension application control to prevent a compromised application from downloading and running any unauthorised software (including malware) on a user’s PC.
It is easy to get lulled into a false sense of security until you dig into the details and look at the bigger picture. In order to avoid zero-day attacks and exploits, it is critical to gain awareness and do a full inventory and assessment of your IT assets (applications & operating systems). In doing so, you can check on the latest security vulnerabilities that need to get addressed within your IT environment and apply remediation as soon as they are released by the vendor. In order to stay current and secure, always keep your eye on the latest fixes that are being released by ALL the security vendors that are applicable to your environment.