Adobe Patches Security Flaws In Acrobat, Reader Software

Adobe Systems has issued updates to its Adobe Acrobat 8.1.2 and Adobe Reader 8.1.2 document sharing software after researchers discovered critical security vulnerabilities in the popular applications used to create and read PDF files.

Adobe Acrobat 9.0 and Adobe Reader 9.0, which were released in June, are not affected by the flaw.

Security experts have noted that malware developers are increasingly targeting third-party applications, particularly those like Reader that plug into browsers, rather than operating systems such as Windows.

The security flaws reported in Acrobat and Reader could be used by hackers to install and run malicious code on an unsuspecting user's computer, according to an advisory issued Tuesday by Core Security Technologies. The warning described the vulnerability as a "Javascript print buffer overflow" and said the Adobe reader software "suffers from a stack buffer overflow when parsing specially crafted (invalid) PDF files."

Exploiting the vulnerability requires that users open maliciously developed PDF files that allow attackers to gain access to vulnerable systems and assume the privileges of a user running Acrobat Reader, the advisory said.

Adobe issued its own advisory that included 8.1.3 updates to the software programs that fix the most recent vulnerability, as well as several older vulnerabilities. Adobe recommends that users who can't upgrade to Adobe Acrobat 9 and Adobe Reader 9 install the updates. They are available for versions of the applications running on Microsoft Windows, Linux, Solaris and Mac OS X.

Earlier this year Adobe had to issue patches for two vulnerabilities in the Javascript API in version 7 of Acrobat and Reader that could lead to malicious acts of remote code execution.