Adobe fixes PDF reader flaws

By Joris Evers
Staff Writer, CNET News

8 comments

Related Stories: Microsoft plugs worm hole in Windows
July 11, 2006; Adobe patches flaw in graphics tools
February 3, 2006; Adobe to put patches on a schedule
December 14, 2005; Adobe warns of Reader, Acrobat bug
August 17, 2005

Adobe Systems joined Microsoft on "Patch Tuesday" and delivered fixes for two security flaws in the ubiquitous Adobe PDF reader software.

The vulnerabilities affect Adobe's Acrobat and Reader software for both the Windows operating system and Apple Computer's Mac OS, Adobe said in two separate security advisories. If left unpatched, the flaws could put Windows and Mac users at risk of a cyberattack.

Adobe's fixes came on the same day that Microsoft issued seven security bulletins with updates to repair 18 vulnerabilities in Windows and Office, including what security experts deem a dangerous Windows worm hole.

The most serious of the two Adobe flaws is a "buffer overflow" vulnerability that affects Adobe Acrobat 6.0.4 and earlier for both Windows and Mac OS, Adobe said. The company categorizes this as a "critical" update and recommends computer users update to version 6.0.5.

An attacker could exploit the vulnerability by crafting a malicious PDF (Portable Document Format) file. Opening that file could cause a complete compromise of the vulnerable PC or cause Acrobat to crash.

Buffer overflows are a commonly exploited security problem. They occur when a program allows data to be written beyond the allocated end of a buffer in memory. A computer can be made to execute potentially malicious code by feeding in extra data that is designed to flood the buffer.

The second flaw Adobe has fixed affects version 6.0.4 and earlier of Adobe Reader and Adobe Acrobat, but only on Mac OS. File and folder permissions for the applications could permit non-privileged users to change key program files on the Apple operating system, Adobe said in its security alert.

"This condition presents a risk for shared, multiuser systems," Adobe said. "On such systems, a hostile unprivileged user could take advantage of this condition to replace these program files with malicious or harmful code that could read, write or destroy sensitive data if subsequently run by a privileged user."

Adobe recommends that people use the automatic update facility in its applications to install version 6.0.5 or download and install the update from the Adobe Web site.

See more CNET content tagged:
Adobe Systems Inc., PDF reader, Adobe Acrobat, flaw, cyberattack

Add a Comment (Log in or register) (8 Comments)

Don't need it, don't want it.
by rcrusoe July 12, 2006 12:42 PM PDT: I haven't used Adobe Reader for years. I can open and read a lot of
pdf documents in Apple's Preview in less time that it takes Adobe's
Reader to launch.

With products like Foxit for Windows, Xpdf for Linux, etc. IMO there
is no reason for anyone to use Adobe's bloated reader.; Reply to this comment

Don't need it, don't want it.
by rcrusoe July 12, 2006 12:42 PM PDT: I haven't used Adobe Reader for years. I can open and read a lot of
pdf documents in Apple's Preview in less time that it takes Adobe's
Reader to launch.

With products like Foxit for Windows, Xpdf for Linux, etc. IMO there
is no reason for anyone to use Adobe's bloated reader.; Reply to this comment

Or just download THE CURRENT VERSION (7.0.8)!!
by Lucky Lou July 12, 2006 2:03 PM PDT: It's only been out since 2004!!!; Reply to this comment

Or just download THE CURRENT VERSION (7.0.8)!!
by Lucky Lou July 12, 2006 2:03 PM PDT: It's only been out since 2004!!!; Reply to this comment

patch
by mjm01010101 July 12, 2006 3:25 PM PDT: Adobe had a patch out for this *months* ago.; Reply to this comment

patch
by mjm01010101 July 12, 2006 3:25 PM PDT: Adobe had a patch out for this *months* ago.; Reply to this comment

article incorrect?
by dddane July 13, 2006 9:32 AM PDT: there are two security bulletins from adobe linked to by cnet..

»www.adobe.com/support/security/b···-08.html

and

»www.adobe.com/support/security/b···-09.html

...one addresses adobe acrobat reader and adobe acrobat on MAC (not windows), the other addresses Adobe Acrobat (NOT reader, though) on both mac and windows.

its slightly confusing and subtle, since the products are often referred to incorrectly anyway... so there is no security bulletin that addresses adobe acrobat reader for WINDOWS.. as the article tends to indicate.

so adobe acrobat reader on windows appears to be "OK" (though adobe acrobat itself is not OK on windows)...according to their own releases.; Reply to this comment

article incorrect?
by dddane July 13, 2006 9:32 AM PDT: there are two security bulletins from adobe linked to by cnet..

»www.adobe.com/support/security/b···-08.html

and

»www.adobe.com/support/security/b···-09.html

...one addresses adobe acrobat reader and adobe acrobat on MAC (not windows), the other addresses Adobe Acrobat (NOT reader, though) on both mac and windows.

its slightly confusing and subtle, since the products are often referred to incorrectly anyway... so there is no security bulletin that addresses adobe acrobat reader for WINDOWS.. as the article tends to indicate.

so adobe acrobat reader on windows appears to be "OK" (though adobe acrobat itself is not OK on windows)...according to their own releases.; Reply to this comment

(8 Comments)

Latest tech news headlines

Will Craigslist drive scalpers out of business?
Posted in Digital Noise: Music and Tech by Matt Rosoff

November 10, 2009 5:44 PM PST
Kerry, U.N.'s Ban upbeat on climate prospects
Posted in Green Tech by Reuters

November 10, 2009 5:44 PM PST
Sponge absorbs 180 times its weight (in toxic sludge)
Posted in Crave by John Herrman

November 10, 2009 5:37 PM PST
See all headlines

RSS Feeds

Add headlines from CNET News to your homepage or feedreader.

More feeds available in our RSS feed index.

Markets: Market news, charts, SEC filings, and more; Related quotes; Adobe Systems (0.00%) 0.00 36.60; Dow Jones Industrials (0.00%) 0.00 10,246.97; S&P 500 (0.00%) 0.00 1,093.01; NASDAQ (0.00%) 0.00 2,151.08; CNET TECH (0.00%) 0.00 1,571.59

Inside CNET News

Scroll Left Scroll Right

Crave
Sponge absorbs 180 times its weight (in toxic sludge)
Researchers in China have adapted carbon nanotubes into a sponge-like material that can be squeezed dry and used to mop up oil spills.
Gallery
Images: Firefox through the ages
Digital Noise: Music and Tech
Create audio messages from song samples
Let Them Sing It For You is a Web app that lets you enter a text message, then splices the words together from pieces of songs it finds on the Web.
Beyond Binary
Microsoft moves MSN Video under Bing umbrella
The software maker said on Tuesday it is combining its video search and MSN content under the Bing brand.
Video
Exploratorium's shocking 40th anniversary kicks off
Digital Noise: Music and Tech
Will Craigslist drive scalpers out of business?
If I want good seats to a sold-out show, I wait until the last minute and buy via the Internet . How long before everybody else figures this out?
Video
A new workout for the Wii
Geek Gestalt
Music industry bows to point-and-shoot cameras
As cheap, powerful automatic cameras and camera phones proliferate, the music industry--and its sports counterpart--have had to realize they can't control fans' ability to take pictures.
Health Tech
New York hospital revives ailing computer network
St. Vincent's Medical Center switches to desktop virtualization and sees big savings in both staff time and electric bills.
Gallery
Photos: Top-rated reviews of the week
Dialed In Podcast
Prizefight: Motorola Droid vs. iPhone 3GS
A panel of judges from CNET.com take a look at the Motorola Droid and the iPhone 3GS to determine which is the better touch-screen smartphone.
Green Tech
Kerry, U.N.'s Ban upbeat on climate prospects
U.S. Senator John Kerry says he'll try to outline a compromise climate control bill, and U.N. Secretary-General Ban Ki-moon is upbeat on Washington's intentions.