Adobe Systems patches two zero-day vulnerabilities affecting multiple versions of Adobe Reader and Adobe Acrobat. One security vulnerability affects Reader and Acrobat across all platforms; the second bug affects Reader on Unix systems.
Adobe Systems released
patches
for zero-day flaws in Adobe Reader and Adobe Acrobat on May 12.
The
first
of the Adobe bugs, a problem with the GetAnnots Doc method in the
JavaScript API, affects Adobe Reader and
Acrobat versions 9.1 and earlier across all platforms. To exploit this
vulnerability, attackers need a PDF file that contains an annotation and has an
OpenAction entry with JavaScript code that calls this method with crafted
integer arguments. With that, attackers can exploit the vulnerability to
execute code or trigger a denial of service.
The
second vulnerability affects Adobe Reader for Unix only. The
CustomDictionaryOpen spell method in the JavaScript API
allows attackers to remotely launch a denial of service or execute arbitrary
code via a PDF file that triggers a call to this method with a long string in
the second argument.
Proof-of-concept
exploit code for both flaws has been circulating the Web, although Adobe
stated in early May it was not aware of any attacks.
Adobe
wasn't the only company to issue patches May 12. For Patch Tuesday,
Microsoft
issued several fixes for Office PowerPoint.
Email
Print
