Slashdot Mirror


Adobe Warns of Reader, Acrobat Attack

itwbennett writes "Monday afternoon, Adobe 'received reports of a vulnerability in Adobe Reader and Acrobat 9.2 and earlier versions being exploited in the wild,' the company said in a post to the company's Product Security Incident Response Team blog. According to malware tracking group Shadowserver, the vulnerability is due to a bug in the way Reader processes JavaScript code. Several 'tests have confirmed this is a 0-day vulnerability affecting several versions of Adobe Acrobat [Reader] to include the most recent versions of 8.x and 9.x. We have not tested on 7.x, but it may also be vulnerable,' Shadowserver said in a post on its Web site. The group recommends that concerned users disable JavaScript within Adobe's software as a work-around for this problem. (This can be done by un-checking the 'Enable Acrobat JavaScript' in the Edit -> Preferences -> JavaScript window). 'This is legit and is very bad,' Shadowserver added."

1 of 195 comments (clear)

  1. Re:Anyone still has JavaScript enabled? by jasonwc · · Score: 4, Interesting

    I agree. These security vulnerabilities appear to be a weekly occurrence. Anyone that hasn't disabled Javascript in Reader/Acrobat at this point either doesn't care about the numerous vulnerabilities or doesn't understand the risks involved.

    The bigger question is why Adobe doesn't just disable Javascript by default. I have never used a PDF that required Javascript and I've dealt with a number of user-fillable forms. So, what exactly is Javascript being used for? I know that it has some use. However, it seems that the security risk is far greater than any potential benefit of the "feature".