• On The Insider: Britney's Bikini-Clad Top 10
advertisementGet Smart about Business Spending
November 4, 2008 6:00 AM PST

Core Security finds critical Adobe Reader hole

by Elinor Mills
  • Font size
  • Print
  • 14 comments

(Credit: Adobe)

Updated 10:50 a.m. PT with Adobe releasing update and link.

A critical security hole in Adobe Reader could allow an attacker to take control of a computer, according to Core Security Technologies.

The vulnerability affects version 8.1.2 of Reader, Core Security said in a statement issued on Tuesday to coincide with Adobe's planned release of a security update to fix the vulnerability.

The security bulletin was posted early on Tuesday. "Adobe is not aware of any reports of these issues being exploited in the wild," the company wrote in a security blog posting.

An attacker could put malicious code in JavaScript embedded in a PDF and spread that via a Web site or e-mail, Core Security said. Once the file is opened, the code could manipulate the program's memory allocation pattern and trigger the vulnerability to execute arbitrary code with the privileges of the user.

Damian Frizza, a CoreLabs researcher, discovered the vulnerability in May while he was investigating a similar vulnerability in a different PDF viewer application called Foxit Reader. Core Security immediately reported the new hole to Adobe.

The complexity of desktop software increases the chances of applications having bugs that result from the implementation of the software, said Ivan Arce, chief technology officer of Core Security.

"We've seen similar vulnerabilities in JavaScript engines in Adobe software in the past and in other applications," he said. "It's difficult to avoid implementation bugs like this one."

The fact that both PDF Readers have the same bug indicates that even though vendors are building products with different technologies and code bases, they ought to check for such bugs in their applications when rival software is found to be vulnerable, Arce said.

Elinor Mills covers Internet security and privacy. She joined CNET News in 2005 after working as a foreign correspondent for Reuters in Portugal and writing for The Industry Standard, the IDG News Service, and the Associated Press. E-mail Elinor.
Topics:

Vulnerabilities & attacks

Tags:

Core,

Adobe Reader,

security

Share:
Digg
Del.icio.us
Reddit
advertisement
Click here!
Recent posts from Security
E-tailers snagged in marketing 'scam' blame customers
McAfee warns about '12 Scams of Christmas'
Cisco launches iPhone security app
Town to photograph every car that enters and leaves
New Firefox 3.6 beta aims to cut crashes
Facebook adopts new privacy policy
T-Mobile UK says workers sold customer data
FAQ: Recognizing phishing e-mails
Related
Free alternatives to Adobe Reader
Alterna-browsers Firefox, Chrome get quick fixes
Phishing, worms spike this year, say Microsoft and McAfee
Firefox 3.5.4 closes security holes
Microsoft patches critical hole in Windows kernel
Expert says Adobe Flash policy is risky
Microsoft probing Windows 7 zero-day hole
Can Astak's EZ Reader Pocket Pro compete with the big boys?
Add a Comment (Log in or register) (14 Comments)
  • prev
  • 1
  • next
by gsmiller88 November 4, 2008 7:45 AM PST
I'm so glad Apple Preview can read PDF files and I have no need for such garbage as Adobe Reader.
Reply to this comment
by kkohnen November 4, 2008 8:06 AM PST
And I'm happy for you too! But, why does _EVERYTHING_ have to become an Apple vs. Microsoft discussion?
by rapier1 November 4, 2008 8:31 AM PST
Because if its not put in the starkest black and white many people won't be able to form an opinion of any sort. If its not 'us versus them' some people just feel lost.
by fdunn3 November 4, 2008 8:46 AM PST
to: kkohnen

What does Adobe Acrobat Reader have to do with Microsoft?

I don't see where gsmiller88 referred to MS anywhere in his post.
by GhostAlph November 4, 2008 9:16 AM PST
to fdunn3:

You don't see what gsmiller88 was getting at because you are apparently blind to implication and inference.

Here - let me paraphrase it for you:

"I'm so glad (software for Apple platform) can (do task in question) and I have no need for such garbage as (program for Microsoft platform)."

I agree with rapier1 - if it's not "us vs. them" people generally don't care or don't get it.
by ittesi259 November 4, 2008 9:26 AM PST
Um that wasn't an Apple/MS discussion it was Preview/Acrobat Reader.....
by Heebee Jeebies November 4, 2008 3:28 PM PST
No this was a dumb @ss to dumb @ass discussion. The Mac since moving to Intel processors has had nearly as many patch updates as Windows. Neither platform is perfect and the only reason the Mac twits spew their poo is to make themselves feel better about spending a whole lot more money for a system no better than a $600 PC and because they are locked in to the whims of Apple and have to replace the entire computer in order to upgrade because Apple won't let you update just the motherboard or processor. Someone has to make the Mac losers feel better about their choice and so I guess that falls to the suckers themselves.

Robert
by Canberra-photographer November 5, 2008 3:40 AM PST
Apple Preview is a terrible reader for PDF files and it's likely no more secure given it still decodes PDFs.
by elezhbeth32 November 4, 2008 8:44 AM PST
A critical security hole in Adobe Reader could allow an attacker to take control of a computer, according to Core Security Technologies.

The vulnerability affects version 8.1.2 of Reader, Core Security said in a statement issued on Tuesday to coincide with Adobe's planned release of a security update to fix the vulnerability.

An attacker could put malicious code in JavaScript embedded in a PDF and spread that via a Web site or e-mail. Once the file is opened, the code could manipulate the program's memory allocation pattern and trigger the vulnerability to execute arbitrary code with the privileges of the user.

Damian Frizza, a CoreLabs researcher, discovered the vulnerability in May while he was investigating a similar vulnerability in a different PDF viewer application called Foxit Reader. Core Security immediately reported the new hole to Adobe.

Adobe representatives did not return a call seeking comment on Monday.

The complexity of desktop software increases the chances of applications having bugs that result from the implementation of the software, said Ivan Arce, chief technology officer of Core Security.

"We've seen similar vulnerabilities in JavaScript engines in Adobe software in the past and in other applications," he said. "It's difficult to avoid implementation bugs like this one."
Reply to this comment
by CoreSecurity November 4, 2008 9:03 AM PST
Here's a link to the actual Core Security vulnerability advisory on the CoreLabs homepage: http://www.coresecurity.com/content/adobe-reader-buffer-overflow .
Reply to this comment
by rcrusoe November 4, 2008 12:43 PM PST
foxitsoftware.com offers a free pdf reader that may not have the same problems. At the very least this 2.5 mb program launches in less than 1/10 the time of Acrobat on my computer.
Reply to this comment
by mbenedict November 4, 2008 7:58 PM PST
@gsmiller88:

Apple's PDF implementation is also rife with security holes, so MacOS users have the privilege of all Adobe vulnerabilities PLUS all Apple vulnerabilities.

For a recent example, see CVE-2008-2322 (just patched a couple of months ago.)

Another example was MOAB-06-01-2007. Adobe promptly fixed this hole in their Reader 8.0, but OS X's Preview was vulnerable for **MONTHS** before Apple finally provided a patch.

For a security perspective, duplicate functionality means reduced defense depth, twice the attack surface, and you get worst of both worlds.
Reply to this comment
by fdunn3 November 5, 2008 6:47 AM PST
To: GhostAlph
I understood perfectly what he was implying but apparently I'm not the only blind person here as Adobe also makes the Acrobat Reader for the Mac. Also for anybody to guess that the implication was against Microsoft as he indicates in his post and you defend is just plain "paranoid", "MS Fanboy", or both. Is it that you have just never heard of Linux?
Reply to this comment
by americas234 November 5, 2008 11:27 AM PST
i already installed adobe reader 9 .is it safe from this promblem.?
Reply to this comment
(14 Comments)
  • prev
  • 1
  • next

The 411 on early-termination fees

Verizon Wireless has doubled its early-termination fees for smartphones, but what does it mean for the rest of the industry?

Google has its own plan for Netbooks

No, the search giant isn't saying it will build a Netbook. But it sure knows what it would like one running Chrome OS to resemble, and that's a little different from the Netbook of today.
• Screenshot tour of Chrome OS

About Security

Online security is threatened by more than hacking and phishing attempts. Check here for the latest updates on software vulnerabilities, data leaks, and rapidly spreading viruses--and learn how to protect your systems.

Add this feed to your online news reader

Security topics

advertisement
advertisement

Inside CNET News

Scroll Left Scroll Right
News
News site map
Latest headlines
Contact News
News staff
Corrections
CNET blogs
Popular topics
Apple iPhone
Apple iPod
Cell phones
Dell
GPS
LCD TV
CNET sites
CNET Site map
CNET TV
Downloads
News
Reviews
Shopper.com
More information
Newsletters
CNET Mobile
Customer Help Center
RSS
CNET Widgets
About CNET