Adobe confirms critical flaw in Reader and Acrobat

Share this article:
A critical flaw in Adobe Reader and Acrobat that was disclosed last week at the Black Hat Conference in Las Vegas could allow an attacker to compromise a user's system.

The flaw, which is caused by an integer overflow error in the way the PDF viewer parses fonts, was disclosed by Charlie Miller, principal security analyst at consulting firm Independent Security Evaluators, during a Black Hat presentation. The vulnerability can be exploited by an attacker to corrupt memory via a specially crafted PDF file, according to an advisory from security firm Secunia. If exploited successfully, the flaw could allow an attacker to execute arbitrary code on an affected system.

“We are aware of the vulnerability reported by Charlie Miller at Black Hat and are in the process of developing a patch,” Adobe said in a statement sent to SCMagazineUS.com on Wednesday.

Adobe is currently evaluating whether to distribute a fix for the vulnerability as part of its next quarterly update for Adobe Reader and Acrobat, scheduled for Oct. 12, or as an “out-of-band” security update.

The vulnerability affects the current version of the software, Adobe Reader 9.3.3, and earlier versions for Windows, Macintosh and UNIX, Adobe said. It also affects Adobe Acrobat 9.3.3 and earlier versions for Windows and Macintosh. There are no reports of the bug being exploited in the wild.

Meanwhile, a similar flaw affecting the mobile version of Apple's Safari browser is being exploited to jailbreak the latest iPhone, according to security researchers. The exploit, which is available at jailbreakme.com, makes use of two unique vulnerabilities, including a PDF font parsing vulnerability in Mobile Safari, to jailbreak the iPhone 4, thereby allowing users to install unapproved applications.

While the jailbreak hack is non-malicious, researchers warned that an attacker could potentially exploit the underlying vulnerabilities for more malicious purposes. 

An Apple spokeswoman told SCMagazineUS.com on Wednesday that the company is aware of the issue.

"We have already developed a fix and it will be available to customers in an upcoming software update,” she said.

Share this article:

Sign up to our newsletters

More in News

Research shows vulnerabilities go unfixed longer in ASP

Research shows vulnerabilities go unfixed longer in ASP

A new report finds little difference in the number of vulnerabilities among programming languages, but remediation times vary widely.

Bill would restrict Calif. retailers from storing certain payment data

The bill would ban businesses from storing sensitive payment data, for any long than required, even if it is encrypted.

Amplification, reflection DDoS attacks increase 35 percent in Q1 2014

Amplification, reflection DDoS attacks increase 35 percent in ...

The Q1 2014 Global DDoS Attack Report reveals that amplification and reflection distributed denial-of-service attacks are on the rise.