Bugs bring new angers to Acrobat users

Home

Utilities

Bugs bring new angers to Acrobat users
By Matthew Broersma
2004-12-16

Article Rating:

/ 0

Rate This Article:

Add This Article To:

Digg this

Del.icio.us

Slashdot

Y! My Web

E-mail

Furl

Google

Simpy

Spurl!

PDF Version

Two serious flaws that affect Windows, Mac OS X and Unix versions of Acrobat enable attackers to execute malicious code on a user's system via a PDF file distributed via e-mail.

Adobe Systems Inc. has warned of two serious security flaws affecting Windows, Mac OS X and Unix versions of its Acrobat software. The bugs could allow an attacker to execute malicious code on a user's system via a PDF file distributed via e-mail, according to security researchers.

The first flaw affects Version 6.0.2 of Acrobat Reader, according to an advisory posted to the Bugtraq mailing list by security research firm iDefense, which discovered both bugs. Reader incorrectly parses the .etd files used in eBook transactions so that an .etd file containing special code in the "title" or "baseurl" fields can cause an invalid memory access.

Adobe bolsters Reader in Version 7.0. Click here to read more.

This could allow the execution of malicious code with the privileges of the user, iDefense said. An attacker could exploit this bug by sending an e-mail message including either an attached PDF file or a link to the file.

Earlier versions of Acrobat Reader 6 may also be vulnerable, and Adobe Acrobat may also be affected, iDefense said. Adobe has released Version 6.0.3 of both Acrobat and Reader for the Windows and Mac OS X platforms, which fixes the problem.

iDefense said users can also protect themselves by deleting the file: "C:\Program Files\Adobe\Acrobat 6.0\Reader\plug_ins\eBook.api." This doesn't affect the handling of PDF files, but won't allow Acrobat or Reader to handle eBooks.

If Adobe had its way, PDF would become the standard of corporate document management. Click here to read David Coursey's column.

A separate flaw has a similar effect on Reader Version 5.0.9 for Unix, iDefense said. This flaw is found in Reader's e-mail function, mailListIsPdf, and can be exploited in the same way as the eBook bug. Adobe made it clear it isn't aware of any attempts to exploit the flaw, but recommended that users update to the newly released Acrobat Reader 5.0.10 "as a precaution."

iDefense added that previous versions of Reader 5 for Unix are probably vulnerable. The company said Unix users can get additional protection from an unofficial patch for the acroread shell script, which adds a check ensuring that files passed to acroread are in fact PDF documents. The patch doesn't protect against files opened manually from within Reader, iDefense said.

Secunia, an independent security researcher that maintains a vulnerabilities database, gave the Unix flaw a "highly critical" rating. Both bugs were discovered in mid-October, iDefense said.

	Discuss Bugs bring new angers to Acrobat users

	>>> Be the FIRST to comment on this article!



	>>> More Utilities Articles >>> More By Matthew Broersma

Email Article To Friend ♦ Print Version Of Article ♦ PDF Version Of Article

FREE ZIFF DAVIS ENTERPRISE ESEMINARS AT ESEMINARSLIVE.COM

Dec 5, 2 p.m. ET
Case Studies in MSP Profitability: 10 Processes to Automate to Achieve 2008 Goals with Michael Krieger. Sponsored by Autotask

Dec 6, 12:30 p.m. ET
The State of the Great Windows Vista Migration with Aaron Goldberg. Sponsored by Dell & Microsoft

Dec 6, 2 p.m. ET
Three Best Practices for Securing Microsoft Exchange with Michael Krieger. Sponsored by Entrust

Dec 6, 3 p.m. ET
Simplify Your World, part 2: A Virtual Desktops Case Study with Joel Shore. Sponsored by EqualLogic

Join us on Dec. 19 for Discovering Value in Stored Data & Reducing Business Risk. Join this interactive day-long event to learn how your enterprise can cost-effectively manage stored data while keeping it secure, compliant and accessible. Disorganized storage can prevent your enterprise from extracting the maximum value from information assets. Learn how to organize enterprise data so vital information assets can help your business thrive. Explore policies, strategies and tactics from creation through deletion. Attend live or on-demand with complimentary registration!

Register Today!

FEATURED CONTENT

Debate: What ERP Would Obama or Romney Choose?
What if we chose our ERP systems the same way we choose a president?
Join the great ERP debate at IT Link.
Let us know what selection process you’d vote for!

Free Trial - Windows Server 2008 Release Candidate.
Microsoft claims Visual Studio 2008, code-named Orcas, contains more than 250 new features and delivers significant enhancements in every edition.
Click Here to Continue >>

Sponsored by Ziff Davis Enterprise Group

DOWNLOADABLE ROI CALCULATORS & TOOLS FROM BASELINE

Calculate Cost and ROI of Spam, VOIP, RFID, Sarbanes-Oxley and more...

Featured Calculators:

See More Tools!
By Category| Planners |Calculators | Quizzes

Special Report

The Perfect PDF
PDFzone shows you how to shine and polish your PDF by adding the reader-friendly touches your audience desires.

Special Report

Microsoft's PDF Play
Microsoft planned to offer a "Save to PDF" function in Office 2007, but the threat of legal action from Adobe may have them reconsidering.

Special Report

PDF Conversion Central
Convert anything and everything to PDf and back again. Word docs, RSS, AutoCAD and more.

BUYER'S GUIDES

• Content management

• Document management

• PDF creation

• PDF conversion

• PDF Developer Tools

• Digital Rights Management

• Enterprise Content Mgmt

• Index & Search

View all >

	PDFZone: Contact Us \| Advertise \| Site Map

	Ziff Davis Enterprise Home \| Contact Us \| Advertise \| Link to Us \| Reprints \| Magazine Subscriptions \| Newsletters Tech RSS Feeds \| White Papers \| ROI Calculators \| Tech Podcasts \| Tech Video \| VARs \| System Builder
	Baseline \| Careers \| Channel Insider \| CIO Insight \| DesktopLinux \| DeviceForge \| DevSource \| eSeminars \| eWEEK \| Enterprise Network Security \| LinuxDevices \| Linux Watch \| Microsoft Watch \| Mid-market \| Networking \| PDF Zone \| Publish \| Security IT Hub \| Strategic Partner \| Web Buyer's Guide \| Windows for Devices
	Developer Shed \| Dev Shed \| ASP Free \| Dev Articles \| Dev Hardware \| SEO Chat \| Tutorialized \| Scripts \| Code Walkers \| Web Hosters \| Dev Mechanic \| Dev Archives \| igrep Use of this site is governed by our Terms of Use and Privacy Policy
	Copyright ©1996-2008 Ziff Davis Enterprise Holdings Inc. All Rights Reserved. PDFzone is a trademark of Ziff Davis Enterprise, Inc. Reproduction in whole or in part in any form or medium without express written permission of Ziff Davis Enterprise, Inc. is prohibited.