Adobe Vulnerabilities Found In Acrobat, Reader

Adobe Acrobat and Adobe Reader users will likely be updating their systems after the company issued a patch for critical vulnerabilities in the two applications that could lead to remote code execution.

Adobe, which issued the patch Tuesday, said that the company was making good on a promise to repair the two known vulnerabilities that were first detected in February. The company said that the security advisory alerting users to the errors, provided a timeline and workaround for versions 7 of both Acrobat and Reader. At that time, the company committed to providing updates for the products by the end of May.

Specifically, the two vulnerabilities, which were first detected in February by researchers at Fortinet, can be found in the Javascript API, a programming interface supplied by Adobe, security experts say.

"It's meant as an interactive way of communicating with PDF files," said Derek Manky, security researcher for Fortiguard Global Security Team. "Unfortunately, it could be used for bad purposes."

The first vulnerability incorporates an exploitable memory corruption error, which could potentially enable attackers to execute arbitrary code on the affected system. Meanwhile, the second vulnerability results from a privilege escalation issue, which could allow an attacker to bypass security measures and remotely access restricted functions.

"Any time you have remote code execution, it's a pretty threatening vulnerability. It can emerge as a critical risk," Manky added.

So far, the flaws have not been exploited in the wild. If exploited, the vulnerabilities could lead to a remote attack in which the criminal could install a malicious payload or force the user to download Trojans and other malware.

"The system could be completely compromised," said Manky. "As soon as they have control, anything is possible."

While researchers are unable to determine the exact number of potentially affected users, the high profile of the Adobe Acrobat and Reader applications have a high number of users around the world, experts said.

Adobe released a patch yesterday addressing the errors, which can be downloaded from the company's Web site.

To ensure protection from unwanted exploits, security experts recommend that users update to the latest version of Adobe Acrobat Professional and Adobe Reader as soon as possible.