Adobe Reader Plagued With Critical JavaScript Vulnerability
Adobe has since confirmed the flaw in versions of Adobe Reader 9.1 and 8.1.4, acknowledging in a blog that "all currently supported shipping versions of Adobe Reader and Acrobat Reader are vulnerable to this issue."
In addition, Adobe Reader 8.1.4 and 9.1 for Linux may also be affected by the vulnerability, according to SecurityFocus.com.
If exploited, the flaw could allow remote attackers to launch a denial of service attack, crash an application, or take control of a system in order to view accounts and steal information.
Adobe said that it was currently investigating the flaw, and planned to provide security updates for all affected versions of Windows, Mac and Unix to resolve the issue.
"We are working on a development schedule for these updates and will post a time line as soon as possible," Adobe said. So far, there are no known "in the wild" attacks exploiting the vulnerability, Adobe added.
Reports indicate that the vulnerability is the result of an error in the "getAnnots" JavaScript function, according to the US-CERT. In an effort to mitigate the risk, the federal agency recommends that users disable JavaScript in Adobe Reader. To disable JavaScript, users are advised to select the JavaScript Category under the Edit:Preferences tab, and uncheck the "Enable Acrobat JavaScript" option.
The security advisory comes just a month after Adobe issued a fix in March, repairing a cross-platform vulnerability in Adobe Reader 9 and Acrobat Reader 9, as well as earlier versions, found to be actively exploited in the wild. Attackers exploiting the vulnerability were, thus, able to crash the application or take complete control of an affected system for identity-theft purposes.
Adobe upgraded users to Adobe Reader 9.1 and Acrobat Reader 9.1 for all platforms and Adobe Reader 8.1.4 for Unix at the end of March.