Feeds

Security hole in Adobe Acrobat

Door open for Trojan horses, viruses, worms

  • alert
  • submit to reddit

Providing a secure and efficient Helpdesk

Updated Adobe has quietly released a patch for a security hole in its latest version of Acrobat, 4.05. The hole is a "buffer overrun" problem, which basically means that malicious code can get through Acrobat and run on the client machine. This, of course, means that all means of nasties can get at your PC.

The hole's discovery was posted on 26 July by Shadow Penguin Security (its techie explanation is displayed below), having sent Adobe its findings. Amazingly, Adobe claims to have posted a patch on 25 July. The problem only affects Acrobat for Windows (what a surprise). Acrobat, the Acrobat reader, Acrobat Business Tools and Acrobat Fill In are all affected.

A spokesman for the company advised that everyone download the patch (most of you will probably have Acrobat 4). He also said that downloads from now on will advise people on the situation.

Adobe's explanation and patch can be found here.

This is the techie explanation from Shadow Penguin Security: "We found the exploitable buffer overflow problem in Acrobat series for windows. Acrobat overflows when reading the PDF file which has long Registry or Ordering. They are one of the font CDI system information, you can see them in the PDF file which is generated by Acrobat. This buffer overflow overwrites the local buffer, the codes which are written in the specified string can be executed in the target host. If the PDF file which contains the cracking code in CID system information is opened by Acrobat series or Internet Explorer, the cracking code will be executed on the client host. This overflow contains the possibility of the virus and trojans infection, sytsem destruction, intrusion, and so on."

Update: A slew of emails from readers who have tried to install this patch has forced us to go back to Adobe to confirm some details. It was unwilling,
however, to do anything but repeat ad nauseam what was written on Adobe's information page (given above). We came off none the wiser. Requests to speak to technical staff amounted to nothing. We finally managed to elicit a tech support phone number. It got worse from here.

The queries we had were: Is there any risk to any versions apart from Acrobat 4.05? How do you get the patch to work with Acrobat if the application doesn't sit on your default drive?

We were advised yesterday to tell all readers with Acrobat version 4.0 upwards to download the patch, but the patch does not work with 4.0. Acrobat 4.05 - it would appear - is the only version affected and so the majority of users should be fine. You need to buy Acrobat 4.05 the application, but this version of the reader is free. If you do have the free reader version 4.05 (or the bought products of this version), the patch does not work if it is not on the default drive.

After negotiating the automated phone maze, we spent 10 minutes on hold, a further five minutes explaining that we were journalists and had been told by Adobe headquarters to call them to obtain technical information. The next five minutes was spent explaining the same thing to another person. The next
five we were back on hold. And then a final three-minute flourish which ended with us remarking: There must be someone in Adobe who knows how Acrobat works. "Um, no," was the response.

So there we have it. We don't know and neither does Adobe. Our advice would be to not upgrade at all or dig out that old copy if you have already done
so. Apparently though, the very latest version - 4.05c - is free from all problems.

Don't say we didn't try. If you fancy a go yourself, tech support can be reached on 0131 451 6888. The automated message gives eur-custserv@adobe.com
as a contact email. ®

Secure remote control for conventional and virtual desktops

More from The Register

next story
Microsoft WINDOWS 10: Seven ATE Nine. Or Eight did really
Windows NEIN skipped, tech preview due out on Wednesday
Business is back, baby! Hasta la VISTA, Win 8... Oh, yeah, Windows 9
Forget touchscreen millennials, Microsoft goes for mouse crowd
Apple: SO sorry for the iOS 8.0.1 UPDATE BUNGLE HORROR
Apple kills 'upgrade'. Hey, Microsoft. You sure you want to be like these guys?
ARM gives Internet of Things a piece of its mind – the Cortex-M7
32-bit core packs some DSP for VIP IoT CPU LOL
Microsoft on the Threshold of a new name for Windows next week
Rebranded OS reportedly set to be flung open by Redmond
Lotus Notes inventor Ozzie invents app to talk to people on your phone
Imagine that. Startup floats with voice collab app for Win iPhone
'Google is NOT the gatekeeper to the web, as some claim'
Plus: 'Pretty sure iOS 8.0.2 will just turn the iPhone into a fax machine'
prev story

Whitepapers

Forging a new future with identity relationship management
Learn about ForgeRock's next generation IRM platform and how it is designed to empower CEOS's and enterprises to engage with consumers.
Storage capacity and performance optimization at Mizuno USA
Mizuno USA turn to Tegile storage technology to solve both their SAN and backup issues.
The next step in data security
With recent increased privacy concerns and computers becoming more powerful, the chance of hackers being able to crack smaller-sized RSA keys increases.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.
A strategic approach to identity relationship management
ForgeRock commissioned Forrester to evaluate companies’ IAM practices and requirements when it comes to customer-facing scenarios versus employee-facing ones.