October 7th, 2007
Adobe confirms PDF backdoor, offers unsupported workaround
Adobe has fessed up to a dangerous code execution vulnerability affecting software programs installed on millions of Windows machines.
The flaw, publicly disclosed more than three weeks ago, could allow hackers to use rigged PDF files to take control of Window XP computers with Internet Explorer 7 installed.
The bug affects Adobe Reader 8.1 and earlier versions, Adobe Acrobat Standard, Professional and Elements 8.1 and earlier versions, and Adobe Acrobat 3D.
[SEE: ‘High risk’ zero-day flaw haunts Adobe Acrobat, Reader ]
In a pre-patch advisory, Adobe offered a complicated (and unsupported) workaround for its customers and promised a comprehensive fix will be ready before the end of October 2007.
The workaround involves disabling the mailto: option in Acrobat, Acrobat 3D 8 and Adobe Reader by modifying the application options in the Windows registry.
In its advisory, Adobe provided step-by-step instructions for manual editing of the registry but Windows users should be aware that careless registry editing can cause serious problems.
Adobe’s public acknowledgment comes a day after Heise Security warned of similar URI handling bugs affecting a wide range of Windows applications. These include Skype (silently fixed), AOL’s Netscape browser, mIRC and Miranda.
[SEE: Microsoft should block that IE-to-Firefox attack vector ]
According to security alerts aggregator Secunia, this is a “highly critical” Windows vulnerability that should be fixed by Microsoft but Redmond’s security response officials have no such plans, insisting it is “very difficult” to put protections in place without breaking existing applications.
Ryan Naraine is a journalist and security evangelist at Kaspersky Lab. He manages Threatpost.com, a security news portal. Here is Ryan's full profile and disclosure of his industry affiliations.
For daily updates on Ryan's activities, follow him on Twitter.
Subscribe to Zero Day via Email alerts or RSS.
| 10/08/07
