Adobe Warns Of Critical Acrobat Vulnerabilities

Adobe Systems this week issued an advisory acknowledging that vulnerabilities may exist in Windows versions of Adobe Reader and Acrobat that could crash the applications and enable remote attackers to gain complete control over affected PCs.

The flaws stem from memory corruption errors in the AcroPDF ActiveX control (AcroPDF.dll) and affect Adobe Reader, Acrobat Standard and Acrobat Professional versions 7.0.0 through 7.0.8, the San Jose, Calif.-based vendor said in a Tuesday advisory.

The vulnerabilities can only be triggered through Internet Explorer, and Adobe said it's working on an update to Adobe Reader and Acrobat 7.0.8 that will address the vulnerabilities.

Remote attackers could exploit the vulnerabilities by duping users into visiting a rigged Web page using Internet Explorer, according to the French Security Incident Response Team (FrSIRT). Adobe credited FrSIRT with discovering and reporting the flaws.

Adobe recommended that users delete the AcroPDF.dll from the Acrobat Program Files folder, but the company warned that doing so could impact enterprise workflows since it prevents PDF documents from opening in Internet Explorer.In addition, the FrSIRT recommended setting a kill bit for the CLSID {CA8A9780-280D-11CF-A24D-444553540000}.

Adobe gave the vulnerabilities its highest rating of "critical," or 4 on a 4-point scale, as did the FrSIRT. However, Danish security research firm Secunia rated the vulnerabilities as "not critical," or 1 on a 5-point scale, on the grounds that the issues only crash the application and can't be used in remote code execution attacks.