Adobe shuts backdoor in PDF Reader, some old versions still vulnerable

As promised earlier this month, Adobe has shipped a fix for the URI protocol handling vulnerability that left a backdoor open on Windows XP machines with Internet Explorer 7 installed.

Adobe shuts backdoor in PDF Reader, some old versions still vulnerable
As promised earlier this month, Adobe has shipped a fix for the URI protocol handling vulnerability that left a backdoor open on Windows XP machines with Internet Explorer 7 installed.

The patch, rated "critical," addresses multiple flaws in Adobe Reader and Acrobat that could allow an attacker to take complete control of a vulnerable system.

From Adobe's advisory:

This issue only affects customers on Windows XP with Internet Explorer 7 installed. A malicious file must be loaded in Adobe Reader or Acrobat by the end user for an attacker to exploit these vulnerabilities.

[ SEE: Adobe confirms PDF backdoor, offers unsupported workaround ]

Adobe is strongly recommending that Windows users upgrade to Adobe Reader 8.1.1 or Acrobat 8.1.1 immediately.

It's important to note that this patch only applies to some versions of the software. For instance, there are no patches yet for Adobe Reader 7.0.9 and Acrobat 7.0.9. Adobe says those fixes will come "at a later date."

[ SEE: MS Outlook flaw adds new twist to URI handling saga ]

In the meantime, the temporary workaround is to disable the "mailto:" option in Acrobat, Acrobat 3D and Adobe Reader by modifying the application options in the Windows registry (see instructions here).

Microsoft is also planning to ship an update to address this issue.

Newsletters

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.
See All