繁體中文

NEWS CENTER

Industry Coverage

Adobe Warns of Potential Reader Flaw

Adobe Warns of Potential Reader Flaw

By Brian Krebs, posted on April28, 2009

http://voices.washingtonpost.com/securityfix/

Adobe Systems Inc. is warning about a potential new security flaw in the latest versions of its Adobe Reader products.

Update, Apr. 29, 8:17 a.m. ET: Adobe has confirmed that this affects all currently supported, shipping versions of Adobe Reader (9.1, 8.1.4, and 7.1.1 and earlier versions) for Windows, Mac and Linux. Adobe recommends disabling Javascript in Reader until it can ship a patch.

Original post:

In its product security incident response team blog, Adobe issued a brief advisory on Monday, saying it is investigating reports of a security hole in Adobe Reader 9.1 and 8.1.4. The company says it will provide an update once it gets more information.

The SecurityFocus submission on this vulnerability indicates that it is a Javascript flaw in Reader for versions designed to run on Linux operating systems, although that advisory suggests that other versions or operating systems may also be affected.

This may turn out to be nothing, but my gut tells me that we may soon be rehashing an incident from February, when malware and hackers were discovered to be using a previously unknown Javascript vulnerability in Adobe Reader to break into machines running the software.

This also reminds me of a question I received in my most recent Security Fix Live Online last Friday:

Denver CO: Because of the recent vulnerabilities discovered in Adobe Reader a lot of tech folks are moving their staff to alternative PDF readers. Do you think using adobe reader and/or adobe acrobat is no longer a good idea?

Brian Krebs: I think diversity is a good thing, especially in computer software and operating systems. Given equal or better alternatives, using a software package that is not the clear market leader is often a smart move from a security perspective.

For some time now, I have recommended the free Foxit Reader over Adobe's PDF reader, which I find bloated and slow. The potential security benefits are an added bonus.

As an alternative, I generally recommend the free and lightweight Foxit Reader (like Adobe's Reader it now comes bundled with a toolbar that you may want to opt out of installing). But there are other free PDF readers, including Sumatra PDFand PDF-XChange Viewer.

Adobe doesn't offer any mitigation tips, probably because it is still checking this out. One avenue is to disable Javascript in Reader (click "Edit," "Preferences," "Javascript," and uncheck the box next to "Enable Acrobat Javascript"). Of course, doing this may not blunt the potential threat from this bug. What's more, disabling Javascript in Reader can cause annoying behavior in the program.