Feeds

Security hole in Adobe Acrobat

Door open for Trojan horses, viruses, worms

  • alert
  • submit to reddit

5 things you didn’t know about cloud backup

Updated Adobe has quietly released a patch for a security hole in its latest version of Acrobat, 4.05. The hole is a "buffer overrun" problem, which basically means that malicious code can get through Acrobat and run on the client machine. This, of course, means that all means of nasties can get at your PC.

The hole's discovery was posted on 26 July by Shadow Penguin Security (its techie explanation is displayed below), having sent Adobe its findings. Amazingly, Adobe claims to have posted a patch on 25 July. The problem only affects Acrobat for Windows (what a surprise). Acrobat, the Acrobat reader, Acrobat Business Tools and Acrobat Fill In are all affected.

A spokesman for the company advised that everyone download the patch (most of you will probably have Acrobat 4). He also said that downloads from now on will advise people on the situation.

Adobe's explanation and patch can be found here.

This is the techie explanation from Shadow Penguin Security: "We found the exploitable buffer overflow problem in Acrobat series for windows. Acrobat overflows when reading the PDF file which has long Registry or Ordering. They are one of the font CDI system information, you can see them in the PDF file which is generated by Acrobat. This buffer overflow overwrites the local buffer, the codes which are written in the specified string can be executed in the target host. If the PDF file which contains the cracking code in CID system information is opened by Acrobat series or Internet Explorer, the cracking code will be executed on the client host. This overflow contains the possibility of the virus and trojans infection, sytsem destruction, intrusion, and so on."

Update: A slew of emails from readers who have tried to install this patch has forced us to go back to Adobe to confirm some details. It was unwilling,
however, to do anything but repeat ad nauseam what was written on Adobe's information page (given above). We came off none the wiser. Requests to speak to technical staff amounted to nothing. We finally managed to elicit a tech support phone number. It got worse from here.

The queries we had were: Is there any risk to any versions apart from Acrobat 4.05? How do you get the patch to work with Acrobat if the application doesn't sit on your default drive?

We were advised yesterday to tell all readers with Acrobat version 4.0 upwards to download the patch, but the patch does not work with 4.0. Acrobat 4.05 - it would appear - is the only version affected and so the majority of users should be fine. You need to buy Acrobat 4.05 the application, but this version of the reader is free. If you do have the free reader version 4.05 (or the bought products of this version), the patch does not work if it is not on the default drive.

After negotiating the automated phone maze, we spent 10 minutes on hold, a further five minutes explaining that we were journalists and had been told by Adobe headquarters to call them to obtain technical information. The next five minutes was spent explaining the same thing to another person. The next
five we were back on hold. And then a final three-minute flourish which ended with us remarking: There must be someone in Adobe who knows how Acrobat works. "Um, no," was the response.

So there we have it. We don't know and neither does Adobe. Our advice would be to not upgrade at all or dig out that old copy if you have already done
so. Apparently though, the very latest version - 4.05c - is free from all problems.

Don't say we didn't try. If you fancy a go yourself, tech support can be reached on 0131 451 6888. The automated message gives eur-custserv@adobe.com
as a contact email. ®

Gartner critical capabilities for enterprise endpoint backup

More from The Register

next story
Why has the web gone to hell? Market chaos and HUMAN NATURE
Tim Berners-Lee isn't happy, but we should be
Microsoft boots 1,500 dodgy apps from the Windows Store
DEVELOPERS! DEVELOPERS! DEVELOPERS! Naughty, misleading developers!
'Stop dissing Google or quit': OK, I quit, says Code Club co-founder
And now a message from our sponsors: 'STFU or else'
Apple promises to lift Curse of the Drained iPhone 5 Battery
Have you tried turning it off and...? Never mind, here's a replacement
Linux turns 23 and Linus Torvalds celebrates as only he can
No, not with swearing, but by controlling the release cycle
Scratched PC-dispatch patch patched, hatched in batch rematch
Windows security update fixed after triggering blue screens (and screams) of death
This is how I set about making a fortune with my own startup
Would you leave your well-paid job to chase your dream?
prev story

Whitepapers

Best practices for enterprise data
Discussing how technology providers have innovated in order to solve new challenges, creating a new framework for enterprise data.
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Advanced data protection for your virtualized environments
Find a natural fit for optimizing protection for the often resource-constrained data protection process found in virtual environments.
How modern custom applications can spur business growth
Learn how to create, deploy and manage custom applications without consuming or expanding the need for scarce, expensive IT resources.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?