Adobe confirms PDF backdoor, offers unsupported workaround

Summary:In a pre-patch advisory, Adobe offered a complicated (and unsupported) workaround for its customers and promised a comprehensive fix will be ready before the end of October 2007.

Adobe confirms PDF backdoor, offers unsupported workaround
Adobe has fessed up to a dangerous code execution vulnerability affecting software programs installed on millions of Windows machines.

The flaw, publicly disclosed more than three weeks ago, could allow hackers to use rigged PDF files to take control of Window XP computers with Internet Explorer 7 installed.

The bug affects Adobe Reader 8.1 and earlier versions, Adobe Acrobat Standard, Professional and Elements 8.1 and earlier versions, and Adobe Acrobat 3D.

[SEE: ‘High risk’ zero-day flaw haunts Adobe Acrobat, Reader ]

In a pre-patch advisory, Adobe offered a complicated (and unsupported) workaround for its customers and promised a comprehensive fix will be ready before the end of October 2007.

The workaround involves disabling the mailto: option in Acrobat, Acrobat 3D 8 and Adobe Reader by modifying the application options in the Windows registry.

In its advisory, Adobe provided step-by-step instructions for manual editing of the registry but Windows users should be aware that careless registry editing can cause serious problems.

Adobe's public acknowledgment comes a day after Heise Security warned of similar URI handling bugs affecting a wide range of Windows applications. These include Skype (silently fixed), AOL's Netscape browser, mIRC and Miranda.

[SEE: Microsoft should block that IE-to-Firefox attack vector ]

According to security alerts aggregator Secunia, this is a "highly critical" Windows vulnerability that should be fixed by Microsoft but Redmond's security response officials have no such plans, insisting it is "very difficult" to put protections in place without breaking existing applications.

Topics: Windows, Enterprise Software, Operating Systems, Security, Software

About

Ryan Naraine is a journalist and social media enthusiast specializing in Internet and computer security issues. He is currently security evangelist at Kaspersky Lab, an anti-malware company with operations around the globe. He is taking a leadership role in developing the company's online community initiative around secure content managem... Full Bio

zdnet_core.socialButton.googleLabel Contact Disclosure

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Related Stories

The best of ZDNet, delivered

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.