Adobe shuts backdoor in PDF Reader, some old versions still vulnerable
The patch, rated "critical," addresses multiple flaws in Adobe Reader and Acrobat that could allow an attacker to take complete control of a vulnerable system.
From Adobe's advisory:
This issue only affects customers on Windows XP with Internet Explorer 7 installed. A malicious file must be loaded in Adobe Reader or Acrobat by the end user for an attacker to exploit these vulnerabilities.
[ SEE: Adobe confirms PDF backdoor, offers unsupported workaround ]
Adobe is strongly recommending that Windows users upgrade to Adobe Reader 8.1.1 or Acrobat 8.1.1 immediately.
It's important to note that this patch only applies to some versions of the software. For instance, there are no patches yet for Adobe Reader 7.0.9 and Acrobat 7.0.9. Adobe says those fixes will come "at a later date."
[ SEE: MS Outlook flaw adds new twist to URI handling saga ]
In the meantime, the temporary workaround is to disable the "mailto:" option in Acrobat, Acrobat 3D and Adobe Reader by modifying the application options in the Windows registry (see instructions here).
Microsoft is also planning to ship an update to address this issue.