Topic: Adobe expected to disclose new Reader flaw

[Samker]

Adobe Tuesday is expected to disclose a security vulnerability in an older version of its Reader document viewing software, according to Core Security. The security vendor discovered a flaw in Adobe Reader 8.1.2 that would allow an attacker to compromise a machine via the malicious use of a PDF.

Ironically, Adobe had urged users back in February to update to this version to avoid vulnerabilities in earlier versions of Reader.   

According to Ivan Arce, CTO at Core Security, the problem can be traced to a vulnerability in the JavaScript engine that allows an attacker to send a PDF with malicious JavaScript embedded in it to wholly compromise any computer using Adobe.

"The end result is if a user opens the PDF file with the malicious JavaScript in it, the attacker will be able to completely compromise the machine," Arce says. "It becomes like a Trojan."

Users can update Adobe Reader 8.1.2 with a patch that Adobe will release Tuesday to prevent this attack. Alternatively, users can upgrade to the current release, Reader 9.0, because the vulnerability hasn't been found in that version. Arce says Core Security discovered the JavaScript vulnerability in May and reported it to Adobe, but the company has taken until now to officially release a patch.

(NetworkWorld)