Adobe Swats Reader, Acrobat Bugs

Adobe Systems patches two zero-day vulnerabilities affecting multiple versions of Adobe Reader and Adobe Acrobat. One security vulnerability affects Reader and Acrobat across all platforms; the second bug affects Reader on Unix systems.

Adobe Systems released patches for zero-day flaws in Adobe Reader and Adobe Acrobat on May 12.

The first of the Adobe bugs, a problem with the GetAnnots Doc method in the JavaScript API, affects Adobe Reader and Acrobat versions 9.1 and earlier across all platforms. To exploit this vulnerability, attackers need a PDF file that contains an annotation and has an OpenAction entry with JavaScript code that calls this method with crafted integer arguments. With that, attackers can exploit the vulnerability to execute code or trigger a denial of service.

The second vulnerability affects Adobe Reader for Unix only. The CustomDictionaryOpen spell method in the JavaScript API allows attackers to remotely launch a denial of service or execute arbitrary code via a PDF file that triggers a call to this method with a long string in the second argument.

Proof-of-concept exploit code for both flaws has been circulating the Web, although Adobe stated in early May it was not aware of any attacks.

Adobe wasn't the only company to issue patches May 12. For Patch Tuesday, Microsoft issued several fixes for Office PowerPoint.