July 12, 2006 12:03 PM PDT

Adobe fixes PDF reader flaws

Adobe Systems joined Microsoft on "Patch Tuesday" and delivered fixes for two security flaws in the ubiquitous Adobe PDF reader software.

The vulnerabilities affect Adobe's Acrobat and Reader software for both the Windows operating system and Apple Computer's Mac OS, Adobe said in two separate security advisories. If left unpatched, the flaws could put Windows and Mac users at risk of a cyberattack.

Adobe's fixes came on the same day that Microsoft issued seven security bulletins with updates to repair 18 vulnerabilities in Windows and Office, including what security experts deem a dangerous Windows worm hole.

The most serious of the two Adobe flaws is a "buffer overflow" vulnerability that affects Adobe Acrobat 6.0.4 and earlier for both Windows and Mac OS, Adobe said. The company categorizes this as a "critical" update and recommends computer users update to version 6.0.5.

An attacker could exploit the vulnerability by crafting a malicious PDF (Portable Document Format) file. Opening that file could cause a complete compromise of the vulnerable PC or cause Acrobat to crash.

Buffer overflows are a commonly exploited security problem. They occur when a program allows data to be written beyond the allocated end of a buffer in memory. A computer can be made to execute potentially malicious code by feeding in extra data that is designed to flood the buffer.

The second flaw Adobe has fixed affects version 6.0.4 and earlier of Adobe Reader and Adobe Acrobat, but only on Mac OS. File and folder permissions for the applications could permit non-privileged users to change key program files on the Apple operating system, Adobe said in its security alert.

"This condition presents a risk for shared, multiuser systems," Adobe said. "On such systems, a hostile unprivileged user could take advantage of this condition to replace these program files with malicious or harmful code that could read, write or destroy sensitive data if subsequently run by a privileged user."

Adobe recommends that people use the automatic update facility in its applications to install version 6.0.5 or download and install the update from the Adobe Web site.

See more CNET content tagged:
Adobe Systems Inc., PDF reader, Adobe Acrobat, flaw, cyberattack

8 comments

Join the conversation!
Add your comment
Don't need it, don't want it.
I haven't used Adobe Reader for years. I can open and read a lot of
pdf documents in Apple's Preview in less time that it takes Adobe's
Reader to launch.

With products like Foxit for Windows, Xpdf for Linux, etc. IMO there
is no reason for anyone to use Adobe's bloated reader.
Posted by rcrusoe (1305 comments )
Reply Link Flag
Don't need it, don't want it.
I haven't used Adobe Reader for years. I can open and read a lot of
pdf documents in Apple's Preview in less time that it takes Adobe's
Reader to launch.

With products like Foxit for Windows, Xpdf for Linux, etc. IMO there
is no reason for anyone to use Adobe's bloated reader.
Posted by rcrusoe (1305 comments )
Reply Link Flag
Or just download THE CURRENT VERSION (7.0.8)!!
It's only been out since 2004!!!
Posted by Lucky Lou (88 comments )
Reply Link Flag
Or just download THE CURRENT VERSION (7.0.8)!!
It's only been out since 2004!!!
Posted by Lucky Lou (88 comments )
Reply Link Flag
patch
Adobe had a patch out for this *months* ago.
Posted by mjm01010101 (126 comments )
Reply Link Flag
patch
Adobe had a patch out for this *months* ago.
Posted by mjm01010101 (126 comments )
Reply Link Flag
article incorrect?
there are two security bulletins from adobe linked to by cnet..

»www.adobe.com/support/security/b···-08.html

and

»www.adobe.com/support/security/b···-09.html

...one addresses adobe acrobat reader and adobe acrobat on MAC (not windows), the other addresses Adobe Acrobat (NOT reader, though) on both mac and windows.

its slightly confusing and subtle, since the products are often referred to incorrectly anyway... so there is no security bulletin that addresses adobe acrobat reader for WINDOWS.. as the article tends to indicate.

so adobe acrobat reader on windows appears to be "OK" (though adobe acrobat itself is not OK on windows)...according to their own releases.
Posted by dddane (3 comments )
Reply Link Flag
article incorrect?
there are two security bulletins from adobe linked to by cnet..

»www.adobe.com/support/security/b···-08.html

and

»www.adobe.com/support/security/b···-09.html

...one addresses adobe acrobat reader and adobe acrobat on MAC (not windows), the other addresses Adobe Acrobat (NOT reader, though) on both mac and windows.

its slightly confusing and subtle, since the products are often referred to incorrectly anyway... so there is no security bulletin that addresses adobe acrobat reader for WINDOWS.. as the article tends to indicate.

so adobe acrobat reader on windows appears to be "OK" (though adobe acrobat itself is not OK on windows)...according to their own releases.
Posted by dddane (3 comments )
Reply Link Flag
 

Join the conversation

Add your comment

The posting of advertisements, profanity, or personal attacks is prohibited. Click here to review our Terms of Use.

What's Hot

Discussions

Shared

RSS Feeds

Add headlines from CNET News to your homepage or feedreader.