Adobe shuts backdoor in PDF Reader, some old versions still vulnerable

Adobe shuts backdoor in PDF Reader, some old versions still vulnerable

Summary: As promised earlier this month, Adobe has shipped a fix for the URI protocol handling vulnerability that left a backdoor open on Windows XP machines with Internet Explorer 7 installed.

SHARE:

Adobe shuts backdoor in PDF Reader, some old versions still vulnerableAs promised earlier this month, Adobe has shipped a fix for the URI protocol handling vulnerability that left a backdoor open on Windows XP machines with Internet Explorer 7 installed.

The patch, rated "critical," addresses multiple flaws in Adobe Reader and Acrobat that could allow an attacker to take complete control of a vulnerable system.

From Adobe's advisory:

This issue only affects customers on Windows XP with Internet Explorer 7 installed. A malicious file must be loaded in Adobe Reader or Acrobat by the end user for an attacker to exploit these vulnerabilities.

[ SEE: Adobe confirms PDF backdoor, offers unsupported workaround ]

Adobe is strongly recommending that Windows users upgrade to Adobe Reader 8.1.1 or Acrobat 8.1.1 immediately.

It's important to note that this patch only applies to some versions of the software. For instance, there are no patches yet for Adobe Reader 7.0.9 and Acrobat 7.0.9. Adobe says those fixes will come "at a later date."

[ SEE: MS Outlook flaw adds new twist to URI handling saga ]

In the meantime, the temporary workaround is to disable the "mailto:" option in Acrobat, Acrobat 3D and Adobe Reader by modifying the application options in the Windows registry (see instructions here).

Microsoft is also planning to ship an update to address this issue.

Topics: Windows, Enterprise Software, Microsoft, Operating Systems, Security, Software

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

9 comments
Log in or register to join the discussion
  • Adobe Reader "Check for Updates" doesn't update!

    You would think Adobe would have made sure Reader's update feature downloaded the fix, wouldn't you?
    killerbunny
    • this happened on the last update also

      I agree it would be much better if Adobe were organised to push fixes out immediately.

      Compare to the present Real Player fiasco. You have to be reading tech blogs to know there's a fix needed for that also. They mention it as a software upgrade on their website, but haven't integrated it into the main download. As Ryan notes, they haven't had anything in their 'security upgrades' list since 2006.

      Reading about internal Microsoft 'cooperation' and 'teamwork' last night, it doesn't seem a surprise that these corps haven't got their own dysfunctions worked out either. Which doesn't make it either sensible or correct - in fact, cooperative understanding about security issues could be a springboard for much better working on other topics, like product design. The Microsoft case was about 'ink' - pen recognition - and how that's been stifled for years.

      Regards...
      Narr vi
  • All I can say is...

    http://www.foxitsoftware.com/pdf/reader_2/down_reader.htm
    BillyG_n_SC
  • Fixed or not?

    Seeing that there was an update available, I started Reader, and told it to look for updates. It did and downloaded and installed an update. I then went to Help About and it says I am on 8.1.0 not on 8.1.1. So do I have the update or not?
    wdlists@...
    • You're not fixed...

      If you re-read the article and follow the link provided, you can go download the actual update from http://www.adobe.com/support/downloads/detail.jsp?ftpID=3806

      Adobe is like many an organization in that they don't keep up with their own patches and fixes.
      Technocrat@...
  • RE: Adobe shuts backdoor in PDF Reader, some old versions still vulnerable

    I hate internet explorer 7, thats why i uninstalled it cause it sucked. I use internet explorer 6 (sometimes). I am a mozilla firefox user.
    rebelxhardcore
    • Uh..

      [b]I hate internet explorer 7, thats why i uninstalled it cause it sucked. I use internet explorer 6 (sometimes). I am a mozilla firefox user. [/b]

      And just what does that have to do with the price of tea in China? The article has nothing to do with Internet Explorer or Firefox or Opera or anything else browser related. This has EVERYTHING to do with Adobe's PDF reader.
      Wolfie2K3
      • trolling for dollars

        Come now; lets not confuse a religious turf war with facts.
        hines@...
  • Acrobat 8.1.1 Reader Update works!

    ...As of about 5:30 pm PDT.

    Oddly enough, the link in the article lead to a download of a 6.2 MB package and that wouldn't run. The .MSP is an extension linked to a graphic format and it kept wanting to load (unsuccessfully) in Paint Shop Pro.

    Doing the update via the Check for Updates, however, worked - it downloaded about 20 MB worth of updates and installed them.
    Wolfie2K3