The Download Blog

(Credit: Adobe)

Adobe Systems on Tuesday issued a security update to fix a critical vulnerability in Adobe Reader 9 and Acrobat 9 that could allow an attacker to take complete control of a computer and for which exploits had been reportedly found in the wild for nearly two months.

Adobe alerted users about the vulnerability more than two weeks ago and promised to have a security update for it by March 11.

Basically, attackers can take advantage of a hole on unpatched systems to overwrite memory with a buffer overflow and install a backdoor through which to control the system remotely.

In its advisory, Adobe said it plans to provide security updates for Adobe Reader 7 and 8 and Acrobat 7 and 8 by March 18 and for Adobe Reader 9.1 for Unix by March 25.

Meanwhile, US-CERT said on Tuesday it is aware of public reports of two new attack vectors for the vulnerability involving the Windows Indexing Service that indexes PDF files and the Windows Explorer Shell Extension.

The vulnerability can be exploited with little or no user interaction if the Windows Indexing Service processes a malicious PDF file stored on the system or Windows Explorer displays a folder containing a malicious PDF file, the CERT advisory said.

Earlier in the day, Microsoft issued updates for a number of critical and important vulnerabilities in Windows as part of this month's Patch Tuesday.

One security expert complained that Adobe was late to acknowledge the vulnerability and uncommunicative about the issue since it arose.

"Having the patch early is a huge benefit, but releasing it on the same day as Microsoft's planned March patch spells disaster for enterprise resource planning, and it still leaves Adobe with a black eye for lack of communication," said Andrew Storms, director of security operations for nCircle, a network and compliance automation firm.

Adobe representatives did not immediately respond Tuesday to phone calls and e-mails seeking comment.

While there are other PDF readers out there, the Adobe Reader for Windows and Mac is used the most. Adobe's mastery of the Portable Document Format has been nearly indisputable until recently, and even with stiff competition the Adobe Reader has the name recognition that most users trust. But is it really the best one out there? Get up close and personal with the Reader in this First Look video, judge for yourself, and let us know in the comments below.

Over the weekend, security vendor iDefense reported three specific exploits affecting a fully patched version of Adobe Acrobat and Reader 8.1 running on Windows. In each of the cases, the attacker would need to have the users open a specially crafted PDF file delivered via an e-mail attachment or linked from a Web site. In response, Adobe has released a security update, Adobe Acrobat and Reader 8.1.2.

The Adobe Reader and Acrobat JavaScript insecure method exposure vulnerability affects users of Adobe Reader 8.1 on Windows XP SP2 and is to be further detailed in CVE-2007-5663. According to iDefense, "an insecure method exposed by the JavaScript library in Adobe Reader and Acrobat could allow an attacker to execute arbitrary code on a compromised machine. One of the methods exposed allows direct control over low level features of the object, which in turn allows execution of arbitrary code. In order to exploit this vulnerability, an attacker would have to convince the targeted user to open a maliciously constructed file."

The Adobe Reader and Acrobat Multiple Stack-based Buffer Overflow Vulnerabilities also affects users of Adobe Reader 8.1 on Windows XP SP2 and is to be detailed in CVE-2007-5659. According to iDefense, "exploitation of multiple stack-based buffer overflows in JavaScript methods in Adobe Reader and Acrobat could allow an attacker to execute arbitrary code as the current user. In order to exploit these vulnerabilities, an attacker would have to convince a targeted user to open a maliciously constructed file."

The Adobe Reader Security Provider Unsafe Libary Path Vulnerability affects users of Adobe Reader 8.1 installed on both Windows XP and Windows Vista and is to be detailed in CVE-2007-5666. According to iDefense, "an unsafe library path vulnerability in Adobe Systems' Adobe Reader may allow attackers to execute arbitrary code as the current user. Exploitation allows an attacker to execute arbitrary code as the user that started the application. To exploit this vulnerability, the attacker must convince the targeted user to open a PDF from a directory under their control."

In response, Adobe has issued an update for Adobe Reader and Acrobat 8.01. An update for Adobe Reader and Acrobat 7.0.9 is not currently available, although Adobe said it does plan to release one later.

It's the most popular PDF software on the planet, but sometimes Adobe Reader can be slower than molasses to start up. Tom Merritt shows you how to use Adobe Reader SpeedUp to disable unnecessary plug-ins and help Adobe Reader open documents much more quickly.