A vulnerability has been identified that could affect people who use Adobe's Reader PDF-file browsing software.

 

Core Security Technologies has determined that Adobe Reader could be exploited to gain access to vulnerable systems via the use of a specially crafted PDF file with malicious JavaScript content.

 

Successful exploitation of the vulnerability requires users to open a maliciously crafted PDF file, which allows attackers to gain access to vulnerable systems and assume the privileges of a user running Acrobat Reader. However Adobe Reader version 9, which was released in June 2008, is not vulnerable to the reported problem.

 

Adobe has issued a security update that addresses the vulnerable version 8.1.2 of Reader. Alternatively, users of affected versions of the program can also work around the problem and reduce their exposure by disabling JavaScript functionality in the software's Edit|Preferences menu.

 

Ivan Arce, CTO at Core Security Technologies, said: “As with many of today's ubiquitous client side applications, the sheer complexity of Adobe Reader creates a broad surface for potential vulnerabilities and, in this case, Adobe's inclusion of a fully-fledged JavaScript engine introduces the same types of implementation bugs commonly found in such sophisticated client side programs.

 

“It's worth noting that the bug was discovered while investigating a previously disclosed and similar problem in another PDF viewer application, highlighting the manner in which common implementation mistakes are frequently shared among multiple vendors.”