Another Adobe Reader security hole emerges

Updated 4:35 p.m. PDT with Adobe saying Windows, Mac and Unix versions of Reader are affected and more details.

Security experts are recommending that people disable JavaScript in Adobe Reader following reports of a vulnerability in the popular portable document format reader on Tuesday.

The vulnerability appears to be due to an error in the "getAnnots()" JavaScript function and exploiting it could allow someone to remotely execute code on the machine, according to an advisory from the US-CERT.

"US-CERT encourages users and administrators to disable JavaScript in Adobe Reader to help mitigate the risk," the post said. "To disable JavaScript in Adobe Reader, open the General Preferences dialog box. From the Edit-Preferences-JavaScript menu, uncheck 'Enable Acrobat JavaScript.'"

All currently supported shipping versions of Adobe Reader (8.1.4, 9.1 and 7.1.1 and earlier) are vulnerable and Windows, Macintosh and Unix platforms are affected, Adobe said in an advisory.

The company said it would release updates for all the platforms but did not yet have a time frame for that. "We are currently not aware of any reports of exploits in the wild for this issue," the advisory said.

At the RSA security conference last week, F-Secure Chief Research Officer Mikko Hypponen said Internet users should switch to using an alternative PDF reader because of the security issues with Adobe Reader. A list of them is available on the PDFReaders.org Web site.

Of the targeted attacks so far this year, more than 47 percent exploit holes in Acrobat Reader, while six vulnerabilities have been discovered that target the program, he said.

Just last month, Adobe issued a fix for an Acrobat Reader hole that attackers had been exploiting for months, after issuing a patch for a critical vulnerability in Flash player the month before.

[Angmarr]

Another reason why people need to make the switch to Foxit!!

[n3td3v]

There are tons of vulnerabilities each day, but why do the media target Adobe Reader?

[unknown unknown]

How are they targeting Adobe by reporting flaws in widely used software?

[gefitz]

n3td3v: "There are tons of vulnerabilities each day, but why do the media target Adobe Reader?"

Answer: (and forgive me for quoting from the article itself)
"Of the targeted attacks so far this year, more than 47 percent of them exploit holes in Acrobat Reader, while six vulnerabilities have been discovered that target the program, he said."

That reason enough?

[Ilgaz]

Adobe reader and PDF isn't the same thing they used to be just 5 years ago. Whole web and client machines are full of PDF files.
I remember attaching instructions for getting Adobe Reader or even including it (with license) on CD/DVDs just 5 years ago. Now? I don't bother at all, everyone has it.
Adobe Reader is reaching Macromedia (Adobe) Flash levels in terms of install base. That is why a zero day in it is huge.
Oh if CNET is making it news because MS document format turned out to be a joke for adoption, well... Their loss :)
Serious though, Adobe Reader "zero day" must be watched and Adobe should be pushed to fix it, sooner this time!

[FutureGuy]

Don't worry Linux can't be hacked
/s

[Dalkorian]

Technophobes shouldn't be commenting on computer program security issues. It's better to keep your mouth shut and let people wonder if you're a fool than it is to open your mouth and remove all doubt.

[grecs]

Scripting just needs to be off by default with a whitelist of known good sites. Users can then customize the whitelist to their own needs ... sort of like NoScript ... except I don't think NoScript works for Adobe products.

[Hep Cat]

Another chapter in the sad, sorrowful tragedy that is Reader 3.0 and above.

[guest86]

Hold on. What version been affect to Windows? I have old Adobe Reader program for backup files only because company keep change many times. I did not understand why some version got problems? What look like? Messy from Infect by virus? Spyware? Malware? other?

[Ilgaz]

I have several PDFs and PDF is my usual day to day file, I even pay for my newspaper to get their original PDFs.
In the first zero day, I disabled Javascript and I haven't yet seen a single PDF file requiring javascript. Perhaps Adobe reader should come with Javascript OFF by default and seriously alert/warn user and ask whether it should be enabled when a document needs it? I understand corporates may use it, why not harness the "document signing" and make it remember for single company?

[TheReaperD]

Because people are basically lazy and will do the minimum possible needed to create or use anything.

[Angmarr]

@ TheReaperD

so tru ...LOL

[jasmred]

I went immediately and turned javascript off as I read this article. Then after reading your comment I went and opened the first PDF document which I needed to work on and lo and behold it requires javascript! I suspect javascript in PDF will become much more widely required as people actually need to DO things with PDF docs (other than just read them :-). I also suspect that most other PDF readers won't work with this document (not that I have the time or inclination to try them). All software has bugs - it's just a matter of time for them to become a problem. It's nice to know that MS doesn't have a monopoly on them as some would have us believe.