Adobe Systems is planning to release a patch for a zero-day flaw affecting Adobe Reader and Acrobat next week.
This is the second zero-day flaw known to have been found in Adobe’s Reader and Acrobat products since March. On May 12, Adobe will push out a fix for versions 7, 8 and 9 on Windows PCs, as well as updates for versions 8 and 9 on Mac and Unix machines.
The Adobe Reader and Acrobat problem lies with the getAnnots Doc method in the JavaScript API in the vulnerable versions, which allows remote attackers to cause a denial of service or execute arbitrary code via a PDF file that contains an annotation and has an OpenAction entry with JavaScript code that calls this method with crafted integer arguments.
Adobe also confirmed a second vulnerability in Reader affecting only Unix that will be fixed in an update. In that instance, the CustomDictionaryOpen spell method in the JavaScript API allows attackers to remotely launch a denial of service or execute arbitrary code via a PDF file that triggers a call to this method with a long string in the second argument.
“This issue will be resolved in the upcoming Adobe Reader for Unix updates,” said a post on the Adobe PSIRT (Product Security Incident Response Team) blog. “Currently, we have not been able to reproduce an exploitable scenario for Windows and Macintosh, but we will continue to investigate.”
Proof-of-concept exploit code for both flaws has already begun circulating the Web, though Adobe maintains it is not aware of any attacks. Users are advised to disable JavaScript in Reader and Acrobat until a patch is available.
Making a patch available for Adobe Reader and Acrobat, however, is only part of the solution. According to data from Qualys, many users are still behind in deploying a fix released by Adobe in March.