Adobe confirms PDF zero-day, urges users to kill JavaScript
Adobe Systems Inc. Tuesday acknowledged that all versions of its popular PDF software, including editions for Windows, the Mac and Linux, contain at least one, and possibly two, critical vulnerabilities.
"All currently supported shipping versions of Adobe Reader and Acrobat, [versions] 9.1, 8.1.4, and 7.1.1 and earlier, are vulnerable to this issue," said David Lenoe, the company's security program manager, in a blog entry Tuesday. Lenoe was referring to a bug in Adobe's implementation of JavaScript that went public early Tuesday.
"Adobe is also currently investigating the issue posted on SecurityFocus as BID 34740," Lenoe added. That "Bugtraq ID," or BID number has been assigned to a second JavaScript vulnerability in Adobe's Reader.
Proof-of-concept attack code for both bugs has already been published on the Web.
According to Lenoe, Adobe will patch Reader and Acrobat, though he did not spell out a timetable for the fixes. "We are working on a development schedule for these updates and will post a timeline as soon as possible," he said.
In lieu of a patch, Lenoe recommended that users disable JavaScript in Reader and Acrobat by selecting Preferences from the Edit menu, choosing "JavaScript," then unchecking the "Enable Acrobat JavaScript" option. (On the Mac, Preferences is under the "Adobe Reader" or "Adobe Acrobat" menus.) That recommendation is identical to what he offered two months ago when Adobe owned up to a different critical vulnerability, one that was already being used by attackers at the time.
Sign up for ITworld's Daily newsletter
Follow ITworld on Twitter @IT_world
On Twitter now
javascript
Powered by Twitter
Esther Schindler
If the comments are ugly, the code is ugly
claird
SVG a graphics format for 21st century
pasmith
Take Chrome OS for a test spin
Sandra Henry-Stocker
Solaris Tip: Have Your Files Changed Since Installation?
jfruh
Android fragments vs. the iPhone monolith
mikelgan
What Gizmodo missed about the Pro WX Wireless USB disk drive
Where Google Chrome security fails: the password
I heard mention that the Chrome OS will have some sort of encryption available a la bitlocker. If it's possible to encrypt personal data using another password or key, then it may have potential for very secure data.... And Ubuntu has an 'encrypt home directory' option, perhaps google should follow suit.
- Dann
Join the conversation here
Quick, practical advice for IT pros. Made fresh daily.
Want to cash in on your IT savvy? Send your tip to tips@itworld.com. If we post it, we'll send you a $25 Amazon e-gift card.
