Adobe confirms critical flaw in Reader and Acrobat

Share this article:
A critical flaw in Adobe Reader and Acrobat that was disclosed last week at the Black Hat Conference in Las Vegas could allow an attacker to compromise a user's system.

The flaw, which is caused by an integer overflow error in the way the PDF viewer parses fonts, was disclosed by Charlie Miller, principal security analyst at consulting firm Independent Security Evaluators, during a Black Hat presentation. The vulnerability can be exploited by an attacker to corrupt memory via a specially crafted PDF file, according to an advisory from security firm Secunia. If exploited successfully, the flaw could allow an attacker to execute arbitrary code on an affected system.

“We are aware of the vulnerability reported by Charlie Miller at Black Hat and are in the process of developing a patch,” Adobe said in a statement sent to SCMagazineUS.com on Wednesday.

Adobe is currently evaluating whether to distribute a fix for the vulnerability as part of its next quarterly update for Adobe Reader and Acrobat, scheduled for Oct. 12, or as an “out-of-band” security update.

The vulnerability affects the current version of the software, Adobe Reader 9.3.3, and earlier versions for Windows, Macintosh and UNIX, Adobe said. It also affects Adobe Acrobat 9.3.3 and earlier versions for Windows and Macintosh. There are no reports of the bug being exploited in the wild.

Meanwhile, a similar flaw affecting the mobile version of Apple's Safari browser is being exploited to jailbreak the latest iPhone, according to security researchers. The exploit, which is available at jailbreakme.com, makes use of two unique vulnerabilities, including a PDF font parsing vulnerability in Mobile Safari, to jailbreak the iPhone 4, thereby allowing users to install unapproved applications.

While the jailbreak hack is non-malicious, researchers warned that an attacker could potentially exploit the underlying vulnerabilities for more malicious purposes. 

An Apple spokeswoman told SCMagazineUS.com on Wednesday that the company is aware of the issue.

"We have already developed a fix and it will be available to customers in an upcoming software update,” she said.

Share this article:
You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters

TOP COMMENTS

More in News

Email promises free pizza, ensnares victims in Asprox botnet instead

Email promises free pizza, ensnares victims in Asprox ...

Cloudmark came upon an email that offers free pizza, but clicking on the link to get the coupon ends with victims being ensnared in a botnet.

Report: most orgs lacking in response team, policies to address cyber incidents

In its Q3 threat intelligence report, Solutionary learned that 75 percent of organizations it assisted had no response team or policies and procedures to address cyber incidents.

Flash redirect campaign impacts Carnegie Mellon page, leads to Angler EK

Flash redirect campaign impacts Carnegie Mellon page, leads ...

Malwarebytes found that, since early July, thousands of sites had been targeted in the campaign.