Adobe Reader is vulnerable yet again

I figured it would happen eventually, but not quite so soon. It appears that Adobe Reader is suffering from at least two more zero-day vulnerabilities. Here’s the low-down.

I figured it would happen eventually, but not quite so soon. It appears that Adobe Reader is suffering from at least two more zero-day vulnerabilities – less than two months after the JBIG2 vulnerability.  Here’s the low-down.

All currently supported shipping versions of Adobe Reader and Acrobat (9.1, 8.1.4, and 7.1.1 and
earlier versions) are vulnerable to this issue. Adobe plans to provide updates for all affected versions
for all platforms (Windows, Macintosh and UNIX) to resolve this issue.  The vulnerabilities are in the JavaScript engine of the Adobe products.  This, by the way, affects both Adobe Reader and Adobe Acrobat.  The vulnerabilities exist in two JavaScript functions; getAnnots() and spell.customDictionaryOpen() and both allow remote code execution.  One way to protect yourself is to disable JavaScript – see the simple instructions from F-Secure.

Many people made this recommendation when the last vulnerability was uncovered (jbig2 vulnerability), but it just seems to be louder this time; find an alternative reader to the Adobe Reader product.  If you need an idea for what is available out there, take a look at PDFreaders.org.  I know that I have made the recommendation where I work, but it might not be that easy.  Corporations sometimes will rely heavyly on Adobe Reader to view custom business forms that are used on a daily basis with customers.  That reliance will often show itself in the in-house applications that make calls directly to the Adobe DLL.

You can read a bit more about the challenges of replacing Adobe Reader and Acrobat here.