Severe Flaws Surface in Acrobat

January 16th, 2007: Adobe has released a security update for its popular Acrobat reader which addresses several critical flaws that potentially allow a hacker to take control of a compromised PC.

Reported on the 4th of January this year, the flaw affects both Windows and Linux versions of the software and has been labelled as severe due to it being remotely exploitable.

In a security bulletin, Adobe said that the fix for Acrobat addresses several vulnerabilities, and includes an update for cross-site scripting (XSS) that could enable malicious scripts to be forced into a browser session and a system to be taken over.

Cross-site scripting enables hackers to use malicious JavaScript in conjunction with a link to a PDF file to seize control of an unsuspecting user’s computer. As usual, the exploit needs to be activated by the end user in the first place, usually by clicking on a link in an email to open a PDF document.

Versision 8.0, the most recent Acrobat release is unaffected by the issue, Adobe has recommended all older versions be updated. If it is not possible to move up to version 8.0, Adobe has also released a patch enabling users to upgrade to version 7.0.9 instead.

Due to Acrobat’s extremely widespread use, the flaw could prove quite vicious. According to Khalid Kark, an analyst at Forrester Research; "The more prevalent the software is, the more important the threat is for you within your organisation to handle." Adobe has been commended for its swift resolution of Acrobat’s flaws, however, plugging the hole and getting the update out to users are two different things.

With increasing numbers of third party applications being targeted by malicious users, IT departments and everyday users need to be more vigilant than every to not only keep their security and operating system software up to date, but also popular internet-enabled third party applications such as Skype, Acrobat and many more.

Comment on this story