Adobe shuts backdoor in PDF Reader, some old versions still vulnerable

Summary:As promised earlier this month, Adobe has shipped a fix for the URI protocol handling vulnerability that left a backdoor open on Windows XP machines with Internet Explorer 7 installed.

Adobe shuts backdoor in PDF Reader, some old versions still vulnerable
As promised earlier this month, Adobe has shipped a fix for the URI protocol handling vulnerability that left a backdoor open on Windows XP machines with Internet Explorer 7 installed.

The patch, rated "critical," addresses multiple flaws in Adobe Reader and Acrobat that could allow an attacker to take complete control of a vulnerable system.

From Adobe's advisory:

This issue only affects customers on Windows XP with Internet Explorer 7 installed. A malicious file must be loaded in Adobe Reader or Acrobat by the end user for an attacker to exploit these vulnerabilities.

[ SEE: Adobe confirms PDF backdoor, offers unsupported workaround ]

Adobe is strongly recommending that Windows users upgrade to Adobe Reader 8.1.1 or Acrobat 8.1.1 immediately.

It's important to note that this patch only applies to some versions of the software. For instance, there are no patches yet for Adobe Reader 7.0.9 and Acrobat 7.0.9. Adobe says those fixes will come "at a later date."

[ SEE: MS Outlook flaw adds new twist to URI handling saga ]

In the meantime, the temporary workaround is to disable the "mailto:" option in Acrobat, Acrobat 3D and Adobe Reader by modifying the application options in the Windows registry (see instructions here).

Microsoft is also planning to ship an update to address this issue.

Topics: Windows, Enterprise Software, Microsoft, Operating Systems, Security, Software

About

Ryan Naraine is a journalist and social media enthusiast specializing in Internet and computer security issues. He is currently security evangelist at Kaspersky Lab, an anti-malware company with operations around the globe. He is taking a leadership role in developing the company's online community initiative around secure content managem... Full Bio

zdnet_core.socialButton.googleLabel Contact Disclosure

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Related Stories

The best of ZDNet, delivered

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.