Adobe PDF Reader patched due to critical flaws

In the last couple of months, Adobe has been hit by clipboard and SQL injection attacks. Now PDF file and JavaScript vulnerabilities force a new patch to be released.

Adobe has issued a security update to fix critical vulnerabilities in its PDF-focused Adobe Reader and Acrobat applications.

Adobe Reader version 9, released in June of this year, is not affected.

The vulnerabilities were identified in Adobe Reader and Acrobat 8.1.2 as well as earlier versions and caused the application to crash as well as potentially allowing an attacker to take control of the affected system.

Security vendor Core Security said that Adobe Reader was able to be exploited through the use of a specially-crafted PDF file which carries malicious JavaScript content.

Advertisement
Advertisement - Article continues below
Advertisement - Article continues below

For the vulnerability to successfully work, a user would need to open the maliciously-crafted PDF file. Attackers would then be free to execute arbitrary code.

Once Core Security made the discovery, it alerted Adobe and the two companies joined forces to create a patch to solve the problem and protect vulnerable users.

Core Security's chief technology officer (CTO) Ivan Arce said that the complexity of Adobe Reader created a broad surface for potential vulnerabilities and that Adobe's inclusion of a JavaScript engine could have introduced implementation bugs.

He said: "The bug was discovered while investigating a previously disclosed and similar problem in another PDF application, highlighting the manner in which common implementation mistakes are frequently shared among multiple vendors."

It's not the first time Adobe has had security problems in the recent months. In August, Adobe investigated Flash banner ads hijacking users' clipboards, while in October Adobe's website suffered a SQL injection attack.

Featured Resources

What you need to know about migrating to SAP S/4HANA

Factors to assess how and when to begin migration

Download now

Your enterprise cloud solutions guide

Infrastructure designed to meet your company's IT needs for next-generation cloud applications

Download now

Testing for compliance just became easier

How you can use technology to ensure compliance in your organisation

Download now

Best practices for implementing security awareness training

How to develop a security awareness programme that will actually change behaviour

Download now
Advertisement

Recommended

Visit/security/internet-security/354417/avast-and-avg-extensions-pulled-from-chrome
internet security

Avast and AVG extensions pulled from Chrome

19 Dec 2019
Visit/security/354156/google-confirms-android-cameras-can-be-hijacked-to-spy-on-you
Security

Google confirms Android cameras can be hijacked to spy on you

20 Nov 2019
Visit/business-strategy/34599/adobe-shuts-down-service-to-venezuela
Business strategy

Adobe shuts down service to Venezuela

9 Oct 2019
Visit/software/34583/avast-business-patch-management-review-don-t-give-up-the-day-job-just-yet
Software

Avast Business Patch Management review

8 Oct 2019

Most Popular

Visit/policy-legislation/data-governance/354496/brexit-security-talks-under-threat-after-uk-accused-of
data governance

Brexit security talks under threat after UK accused of illegally copying Schengen data

10 Jan 2020
Visit/web-browser/30394/what-is-http-error-503-and-how-do-you-fix-it
web browser

What is HTTP error 503 and how do you fix it?

7 Jan 2020
Visit/infrastructure/server-storage/354476/broadberry-cyberserve-r182-z90-review-gigabytes-epyc-gamble
Server & storage

Broadberry CyberServe R182-Z90 review: Gigabyte’s EPYC gamble pays off handsomely

7 Jan 2020
Visit/operating-systems/microsoft-windows/354514/gchq-warns-against-windows-7-for-email-banking
Microsoft Windows

GCHQ warns against Windows 7 for email, banking

13 Jan 2020