A critical security vulnerability in an ActiveX control used by Internet Explorer could allow malicious hackers to use Adobes Reader and Acrobat software to launch PC hijack attacks, according to a warning from Adobe Systems.
The San Jose, Calif., company released an advisory with pre-patch workarounds and warned that multiple unpatched flaws could cause software crashes and “potentially allow an attacker to take control of the affected system.”
Affected software includes Adobe Reader 7.0.0 through 7.0.8 and Adobe Acrobat Standard and Professional 7.0.0 through 7.0.8 on the Windows platform.
The bugs are only triggered when using Internet Explorer. Users of other browsers are not affected.
Adobe said it is working on a comprehensive patch that will ship “soon” and stressed than an upcoming upgrade to the widely used Adobe Reader program is not vulnerable to this issue.
Temporary workaround:
Adobe suggests that affected users apply the following workaround:
* Browse to :Program FilesAdobeAcrobat 7.0ActiveX. Note: If you did not install Acrobat to the default location, browse to the location of your Acrobat 7.0 folder.
* Select AcroPDF.dll and delete it.
The workaround will prevent PDF documents from opening within an Internet Explorer window. After applying the workaround, clicking on PDF files within Internet Explorer will either open the files in a separate instance of Adobe Reader or prompt the user to download the file, which can then be opened in Adobe Reader.
The company warned that the workaround may disrupt some enterprise workflows and use of PDF forms.
Check out eWEEK.coms Security Center for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at Ryan Naraines eWEEK Security Watch blog.