'High risk' zero-day flaw haunts Adobe Acrobat, Reader

Summary:Adobe's ever-present Acrobat/PDF Reader software is prone to a nasty code execution vulnerability that could expose Windows users to PC takeover attacks.

‘High risk’ zero-day haunts Adobe Acrobat, Reader
Adobe's ever-present Acrobat/PDF Reader software is prone to a nasty code execution vulnerability that could expose Windows users to PC takeover attacks.

Details of the flaw, which affects Windows XP SP2 with IE7 and Adobe Reader 8.1, 8.0 and 7 are being kept under wraps until Adobe releases a fix.

Petko D. Petkov, the researcher who discovered this issue, is not mincing words about the risk severity:

Adobe Acrobat/Reader PDF documents can be used to compromise your Windows box. Completely!!! Invisibly and unwillingly!!! All it takes is to open a PDF document or stumble across a page which embeds one.

The issue is quite critical given the fact that PDF documents are in the core of today’s modern business. This and the fact that it may take a while for Adobe to fix their closed source product, are the reasons why I am not going to publish any POCs. You have to take my word for it. The POCs will be released when an update is available.

Petkov gave me a peek at a proof-of-concept exploit that worked as advertised. On my Windows XP box with a fully patched version of Adobe Reader, opening a rigged PDF file launched calc.exe without warning.

Unpatched Adobe PDF code execution vulnerability

The exploit did not work during my tests on Windows Vista.

ALSO SEE:

Exploit code posted for critical Adobe Photoshop flaw

Topics: Operating Systems, Enterprise Software, Software, Windows

About

Ryan Naraine is a journalist and social media enthusiast specializing in Internet and computer security issues. He is currently security evangelist at Kaspersky Lab, an anti-malware company with operations around the globe. He is taking a leadership role in developing the company's online community initiative around secure content managem... Full Bio

zdnet_core.socialButton.googleLabel Contact Disclosure

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Related Stories

The best of ZDNet, delivered

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.