Feeds

Security hole in Adobe Acrobat

Door open for Trojan horses, viruses, worms

  • alert
  • submit to reddit

High performance access to file storage

Updated Adobe has quietly released a patch for a security hole in its latest version of Acrobat, 4.05. The hole is a "buffer overrun" problem, which basically means that malicious code can get through Acrobat and run on the client machine. This, of course, means that all means of nasties can get at your PC.

The hole's discovery was posted on 26 July by Shadow Penguin Security (its techie explanation is displayed below), having sent Adobe its findings. Amazingly, Adobe claims to have posted a patch on 25 July. The problem only affects Acrobat for Windows (what a surprise). Acrobat, the Acrobat reader, Acrobat Business Tools and Acrobat Fill In are all affected.

A spokesman for the company advised that everyone download the patch (most of you will probably have Acrobat 4). He also said that downloads from now on will advise people on the situation.

Adobe's explanation and patch can be found here.

This is the techie explanation from Shadow Penguin Security: "We found the exploitable buffer overflow problem in Acrobat series for windows. Acrobat overflows when reading the PDF file which has long Registry or Ordering. They are one of the font CDI system information, you can see them in the PDF file which is generated by Acrobat. This buffer overflow overwrites the local buffer, the codes which are written in the specified string can be executed in the target host. If the PDF file which contains the cracking code in CID system information is opened by Acrobat series or Internet Explorer, the cracking code will be executed on the client host. This overflow contains the possibility of the virus and trojans infection, sytsem destruction, intrusion, and so on."

Update: A slew of emails from readers who have tried to install this patch has forced us to go back to Adobe to confirm some details. It was unwilling,
however, to do anything but repeat ad nauseam what was written on Adobe's information page (given above). We came off none the wiser. Requests to speak to technical staff amounted to nothing. We finally managed to elicit a tech support phone number. It got worse from here.

The queries we had were: Is there any risk to any versions apart from Acrobat 4.05? How do you get the patch to work with Acrobat if the application doesn't sit on your default drive?

We were advised yesterday to tell all readers with Acrobat version 4.0 upwards to download the patch, but the patch does not work with 4.0. Acrobat 4.05 - it would appear - is the only version affected and so the majority of users should be fine. You need to buy Acrobat 4.05 the application, but this version of the reader is free. If you do have the free reader version 4.05 (or the bought products of this version), the patch does not work if it is not on the default drive.

After negotiating the automated phone maze, we spent 10 minutes on hold, a further five minutes explaining that we were journalists and had been told by Adobe headquarters to call them to obtain technical information. The next five minutes was spent explaining the same thing to another person. The next
five we were back on hold. And then a final three-minute flourish which ended with us remarking: There must be someone in Adobe who knows how Acrobat works. "Um, no," was the response.

So there we have it. We don't know and neither does Adobe. Our advice would be to not upgrade at all or dig out that old copy if you have already done
so. Apparently though, the very latest version - 4.05c - is free from all problems.

Don't say we didn't try. If you fancy a go yourself, tech support can be reached on 0131 451 6888. The automated message gives eur-custserv@adobe.com
as a contact email. ®

High performance access to file storage

More from The Register

next story
Android engineer: We DIDN'T copy Apple OR follow Samsung's orders
Veep testifies for Samsung during Apple patent trial
Microsoft: Windows version you probably haven't upgraded to yet is ALREADY OBSOLETE
Pre-Update versions of Windows 8.1 will no longer support patches
OpenSSL Heartbleed: Bloody nose for open-source bleeding hearts
Bloke behind the cockup says not enough people are helping crucial crypto project
Half of Twitter's 'active users' are SILENT STALKERS
Nearly 50% have NEVER tweeted a word
Windows XP still has 27 per cent market share on its deathbed
Windows 7 making some gains on XP Death Day
Internet-of-stuff startup dumps NoSQL for ... SQL?
NoSQL taste great at first but lacks proper nutrients, says startup cloud whiz
Microsoft lobs pre-release Windows Phone 8.1 at devs who dare
App makers can load it before anyone else, but if they do they're stuck with it
US taxman blows Win XP deadline, must now spend millions on custom support
Gov't IT likened to 'a Model T with a lot of things on top of it'
prev story

Whitepapers

Mainstay ROI - Does application security pay?
In this whitepaper learn how you and your enterprise might benefit from better software security.
Five 3D headsets to be won!
We were so impressed by the Durovis Dive headset we’ve asked the company to give some away to Reg readers.
3 Big data security analytics techniques
Applying these Big Data security analytics techniques can help you make your business safer by detecting attacks early, before significant damage is done.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Mobile application security study
Download this report to see the alarming realities regarding the sheer number of applications vulnerable to attack, as well as the most common and easily addressable vulnerability errors.