Adobe patches zero-day bugs in Reader, Acrobat

Updates put paid to JavaScript flaw in Adobe Reader and Acrobat, which was under threat from exploit code circulating on the internet

Adobe has updated Adobe Reader and Adobe Acrobat to fix a serious JavaScript flaw affecting Windows, Mac, Linux and Unix, after code to exploit the bug was released on the internet.

As promised, the company sent out a security advisory on Tuesday with fixes for the vulnerability, and also patched a second flaw affecting Unix only. Security firm Secunia gave the flaws a "highly critical" ranking.

Adobe acknowledged that proof-of-concept code was circulating for the flaws on 27 April. The code was first released on the Linux security website Packetstorm.

However, Adobe said in a blog post on Tuesday that it was not aware of any attacks actively exploiting the proof-of-concept code.

Both bugs could be exploited via a specially crafted PDF file to crash the affected applications or take control of a user's system, Adobe said in its advisory.

The first bug, affecting the broader range of platforms, involves the way Reader and Acrobat process calls to the JavaScript method "getAnnots()", and can be used to corrupt memory, according to Adobe.

The second bug, affecting only Unix, involves the way calls to the "customDictionaryOpen()" JavaScript method are processed.

The bugs affect Reader 9.1 and Acrobat 9.1, as well as earlier versions, Adobe said. The company has fixed the issues in Acrobat and Reader versions 9.1.1, 8.1.5 and 7.1.2. The updates are available via Adobe's advisory.

For those unable to update, the company recommended turning off JavaScript in the affected applications.