Adobe confirms Reader flaw, advises on workarounds

Share this article:

Adobe has confirmed a zero-day vulnerability in its Reader and Acrobat software and plans to release a patch on Jan. 12 for the dangerous bug.

According to an an advisory issued late Tuesday, the vulnerability impacts version 9.2 and earlier for Windows, Mac and UNIX platforms. A successful exploit can allow an attacker to crash or take control of a targeted system.

As users await an updated version of the popular PDF management products, the company recommended IT administrators utilize the JavaScript Blacklist Framework, which offers granular control over the execution of specific JavaScript API calls. Individual users, meanwhile, simply can opt to disable JavaScript in Reader and Acrobat by unchecking the "Enable Acrobat JavaScript"option.

In addition, customers can leverage Data Execution Prevention (DEP), a Vista and Windows 7 security feature that prevents an application from executing code in certain memory regions. The functionality also is available on Windows XP Service Pack 3.

Exploits currently are being delivered as a malicious PDF attached to emails, security experts said. So far, the attacks have been fairly targeted, but that is expected to change, especially now that the exploit has been added to the Metasploit framework.

David Lenoe, a security program manager at Adobe, said Tuesday in a blog post that users may be helped by their anti-virus vendors.

"Adobe actively shares information about this and other vulnerabilities with partners in the security community to enable them to quickly develop detection and quarantine methods to protect users until a patch is available," he said.

Exploits for the vulnerability began surfacing late last week, but as of Tuesday, a majority of security solutions were failing to detect the malicious PDFs being used in the ambushes, according to the Shadowserver Foundation, an internet security watchdog.

Share this article:
You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters

More in News

Beazley: employee errors root of most data breaches, but malware incidents cost ...

Insurance firm Beazley analyzed more than 1,500 data breaches it serviced between 2013 and 2014.

Apple issues seven updates, fixes more than 40 vulnerabilities in iOS 8, OS 10.9.5

Apple issues seven updates, fixes more than 40 ...

In one of its infrequent "Update Surprisedays," Apple plugged holes, boosted security and added features.

Canadian telecom co. Telus unveils first transparency report

The company received more than 100,000 government requests for customer data last year.