Feeds

Security hole in Adobe Acrobat

Door open for Trojan horses, viruses, worms

  • alert
  • submit to reddit

Choosing a cloud hosting partner with confidence

Updated Adobe has quietly released a patch for a security hole in its latest version of Acrobat, 4.05. The hole is a "buffer overrun" problem, which basically means that malicious code can get through Acrobat and run on the client machine. This, of course, means that all means of nasties can get at your PC.

The hole's discovery was posted on 26 July by Shadow Penguin Security (its techie explanation is displayed below), having sent Adobe its findings. Amazingly, Adobe claims to have posted a patch on 25 July. The problem only affects Acrobat for Windows (what a surprise). Acrobat, the Acrobat reader, Acrobat Business Tools and Acrobat Fill In are all affected.

A spokesman for the company advised that everyone download the patch (most of you will probably have Acrobat 4). He also said that downloads from now on will advise people on the situation.

Adobe's explanation and patch can be found here.

This is the techie explanation from Shadow Penguin Security: "We found the exploitable buffer overflow problem in Acrobat series for windows. Acrobat overflows when reading the PDF file which has long Registry or Ordering. They are one of the font CDI system information, you can see them in the PDF file which is generated by Acrobat. This buffer overflow overwrites the local buffer, the codes which are written in the specified string can be executed in the target host. If the PDF file which contains the cracking code in CID system information is opened by Acrobat series or Internet Explorer, the cracking code will be executed on the client host. This overflow contains the possibility of the virus and trojans infection, sytsem destruction, intrusion, and so on."

Update: A slew of emails from readers who have tried to install this patch has forced us to go back to Adobe to confirm some details. It was unwilling,
however, to do anything but repeat ad nauseam what was written on Adobe's information page (given above). We came off none the wiser. Requests to speak to technical staff amounted to nothing. We finally managed to elicit a tech support phone number. It got worse from here.

The queries we had were: Is there any risk to any versions apart from Acrobat 4.05? How do you get the patch to work with Acrobat if the application doesn't sit on your default drive?

We were advised yesterday to tell all readers with Acrobat version 4.0 upwards to download the patch, but the patch does not work with 4.0. Acrobat 4.05 - it would appear - is the only version affected and so the majority of users should be fine. You need to buy Acrobat 4.05 the application, but this version of the reader is free. If you do have the free reader version 4.05 (or the bought products of this version), the patch does not work if it is not on the default drive.

After negotiating the automated phone maze, we spent 10 minutes on hold, a further five minutes explaining that we were journalists and had been told by Adobe headquarters to call them to obtain technical information. The next five minutes was spent explaining the same thing to another person. The next
five we were back on hold. And then a final three-minute flourish which ended with us remarking: There must be someone in Adobe who knows how Acrobat works. "Um, no," was the response.

So there we have it. We don't know and neither does Adobe. Our advice would be to not upgrade at all or dig out that old copy if you have already done
so. Apparently though, the very latest version - 4.05c - is free from all problems.

Don't say we didn't try. If you fancy a go yourself, tech support can be reached on 0131 451 6888. The automated message gives eur-custserv@adobe.com
as a contact email. ®

Secure remote control for conventional and virtual desktops

More from The Register

next story
Netscape Navigator - the browser that started it all - turns 20
It was 20 years ago today, Marc Andreeesen taught the band to play
Sign off my IT project or I’ll PHONE your MUM
Honestly, it’s a piece of piss
Return of the Jedi – Apache reclaims web server crown
.london, .hamburg and .公司 - that's .com in Chinese - storm the web server charts
Chrome 38's new HTML tag support makes fatties FIT and SKINNIER
First browser to protect networks' bandwith using official spec
Admins! Never mind POODLE, there're NEW OpenSSL bugs to splat
Four new patches for open-source crypto libraries
Torvalds CONFESSES: 'I'm pretty good at alienating devs'
Admits to 'a metric ****load' of mistakes during work with Linux collaborators
Ploppr: The #VultureTRENDING App of the Now
This organic crowd sourced viro- social fertiliser just got REAL
prev story

Whitepapers

Forging a new future with identity relationship management
Learn about ForgeRock's next generation IRM platform and how it is designed to empower CEOS's and enterprises to engage with consumers.
Cloud and hybrid-cloud data protection for VMware
Learn how quick and easy it is to configure backups and perform restores for VMware environments.
Three 1TB solid state scorchers up for grabs
Big SSDs can be expensive but think big and think free because you could be the lucky winner of one of three 1TB Samsung SSD 840 EVO drives that we’re giving away worth over £300 apiece.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.