Critical vulnerability detected in Adobe and Acrobat

News by Dan Raywood

A critical vulnerability has been identified in Adobe Reader 9 and Acrobat 9 and earlier versions.

A critical vulnerability has been identified in Adobe Reader 9 and Acrobat 9 and earlier versions.


The company has claimed that the vulnerability would cause the application to crash and could potentially allow an attacker to take control of the affected system; with reports made that this issue is being exploited already.


Adobe has categorised this as a critical issue and has recommended that users update their virus definitions and exercise caution when opening files from untrusted sources. It is planning to release updates to Adobe Reader and Acrobat to resolve the relevant security issue and expects to make an update available for Adobe Reader 9 and Acrobat 9 by the 11th March. Updates for Adobe Reader 8 and Acrobat 8 will follow soon after, with Adobe Reader 7 and Acrobat 7 updates to follow.


McAfee Avert labs researcher Geok Meng Ong, said: “At the turn of 2009, malicious PDF documents were discovered to be exploiting a zero-day vulnerability affecting Adobe Reader 8 and 9. In parsing a specially crafted embedded object, a bug in the reader allowed the attacker to overwrite memory at an arbitrary location. The attacks, found in the field, use the infamous ‘HeapSpray' method via JavaScript to achieve control of code execution.


“While the distribution of this exploit thus far appears to be targeted, new variants are expected as more information is made public. As with the Conficker experience, the lack of good patch management is a very worrying trend that deserves more attention from IT security practitioners.”


Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews

Interview - Everyone has an Achilles heel: The new security paradigm

How can we defend networks now that the perimeter has all but disappeared?
Brought to you in partnership with ExtraHop