Adobe confirms PDF zero-day, urges users to kill JavaScript
Adobe Systems Inc. Tuesday acknowledged that all versions of its popular PDF software, including editions for Windows, the Mac and Linux, contain at least one, and possibly two, critical vulnerabilities.
"All currently supported shipping versions of Adobe Reader and Acrobat, [versions] 9.1, 8.1.4, and 7.1.1 and earlier, are vulnerable to this issue," said David Lenoe, the company's security program manager, in a blog entry Tuesday. Lenoe was referring to a bug in Adobe's implementation of JavaScript that went public early Tuesday.
"Adobe is also currently investigating the issue posted on SecurityFocus as BID 34740," Lenoe added. That "Bugtraq ID," or BID number has been assigned to a second JavaScript vulnerability in Adobe's Reader.
Proof-of-concept attack code for both bugs has already been published on the Web.
According to Lenoe, Adobe will patch Reader and Acrobat, though he did not spell out a timetable for the fixes. "We are working on a development schedule for these updates and will post a timeline as soon as possible," he said.
In lieu of a patch, Lenoe recommended that users disable JavaScript in Reader and Acrobat by selecting Preferences from the Edit menu, choosing "JavaScript," then unchecking the "Enable Acrobat JavaScript" option. (On the Mac, Preferences is under the "Adobe Reader" or "Adobe Acrobat" menus.) That recommendation is identical to what he offered two months ago when Adobe owned up to a different critical vulnerability, one that was already being used by attackers at the time.
Sign up for ITworld's Daily newsletter
Follow ITworld on Twitter @IT_world
On Twitter now
javascript
Powered by Twitter
jfruh
Apple syncing patent can't come soon enough
pasmith
New Twitter features borrow from 3rd party clients
Esther Schindler
Open Source Changes the Software Acquisition Process
mikelgan
How to set up continuous podcast play on the new iTunes
David Strom
Five important Windows 7 mobility features
sjvn
Guard your Wi-Fi for your own sake
Sandra Henry-Stocker
Grepping on Whole Words
Sidekick: The Good News & the Bad News
Either way you look at it Microsoft Data Center management did not follow standards or best practices in this failure. In which case it makes me wonder more about the outsourcing of corporate data much less personal data.
- mburton325
Join the conversation here
Quick, practical advice for IT pros. Made fresh daily.
Want to cash in on your IT savvy? Send your tip to tips@itworld.com. If we post it, we'll send you a $25 Amazon e-gift card.
