Home & Office

Adobe plugs Acrobat security woe

Software vendor releases an update that addresses the cross-site scripting vulnerability identified by security researchers last week.
Written by Vivian Yeo, Contributor

Adobe on Wednesday released an update meant for businesses and individuals using Acrobat Reader 7 but who were unable to upgrade to the recommended version for safeguard against the recent flaws.

The security flaw found in Adobe's Acrobat products were thought to be a conduit only for Web attacks, but security researchers later identified that users' information on hard drives could also be exposed directly by a malicious link to a PDF file on a victim's PC.

According to Web security company Watchfire, the problem arises due to how the software instructs the Web browser to handle PDFs. The vulnerability allows JavaScript code appended to links to PDF files to run once the link is clicked, WhiteHat Security CTO Jeremiah Grossman explained last week.

Version 7.0.9--the update announced on Wednesday--is meant for "users with Adobe Reader 7.0 through 7.0.8, who cannot upgrade to Reader 8", according to an Adobe security bulletin.

The software vendor had recommended users to upgrade to Acrobat Reader 8.0 to minimize the risk of being exposed to the latest flaw in version 7.0.8 or earlier, but some countries were unable to do so due to the lack of language support for version 8.0, noted Danny Allan, Watchfire's director of security research.

China was one of the countries affected, he said. A check by ZDNet Asia also found that other countries such as Hong Kong (traditional Chinese version), Korea, Taiwan, Finland, Italy, Latin America and the Netherlands were also unable to upgrade to version 8.0.

Adobe, which has assigned an "important" rating for the cross-site scripting vulnerability, told ZDNet Asia in an e-mail that it was not aware of any users who may have been affected.

According to an Adobe spokesperson, the company has also put out an advisory for Web site operators to help prevent cross-site scripting attacks from the server side.

The spokesperson noted that "additional solutions that address the cross-site scripting vulnerability for Adobe Reader 6 users will be available soon".

Editorial standards