Adobe Systems is planning to release a
patch for a zero-day flaw affecting Adobe Reader and Acrobat next week.
This
is the second zero-day flaw known to have been found in Adobe's Reader and
Acrobat products since March. On May 12, Adobe will push out a fix for versions 7, 8 and 9 on Windows PCs, as well
as updates for versions 8 and 9 on Mac and Unix machines.
The
Adobe Reader
and Acrobat problem lies with the getAnnots Doc method in the JavaScript API
in the vulnerable versions, which allows remote attackers to cause a denial of
service or execute arbitrary code via a PDF file that contains an annotation
and has an OpenAction entry with JavaScript code that calls this method with
crafted integer arguments.
Adobe
also confirmed a second
vulnerability in Reader affecting only Unix that will be fixed in an
update. In that instance, the CustomDictionaryOpen spell method in the
JavaScript API allows attackers to remotely
launch a denial of service or execute arbitrary code via a PDF file that
triggers a call to this method with a long string in the second argument.
"This
issue will be resolved in the upcoming Adobe Reader for Unix updates," said
a post on the Adobe PSIRT (Product Security Incident Response Team) blog.
"Currently, we have not been able to reproduce an exploitable scenario for
Windows and Macintosh, but we will continue to investigate."
Proof-of-concept
exploit code for both flaws has already begun circulating the Web, though Adobe
maintains it is not aware of any attacks. Users are advised to disable
JavaScript in Reader and Acrobat until a patch is available.
Making
a patch available for Adobe Reader and Acrobat, however, is only part of
the solution. According to data from Qualys, many users are still behind
in deploying a fix
released by Adobe in March.
IT Security & Network Security News & Reviews News & Reviews 
