Adobe PDF Reader patched due to critical flaws

Adobe has issued a security update to fix critical vulnerabilities in its PDF-focused Adobe Reader and Acrobat applications.

Adobe Reader version 9, released in June of this year, is not affected.

The vulnerabilities were identified in Adobe Reader and Acrobat 8.1.2 as well as earlier versions and caused the application to crash as well as potentially allowing an attacker to take control of the affected system.

Security vendor Core Security said that Adobe Reader was able to be exploited through the use of a specially-crafted PDF file which carries malicious JavaScript content.

For the vulnerability to successfully work, a user would need to open the maliciously-crafted PDF file. Attackers would then be free to execute arbitrary code.

Once Core Security made the discovery, it alerted Adobe and the two companies joined forces to create a patch to solve the problem and protect vulnerable users.

Core Security's chief technology officer (CTO) Ivan Arce said that the complexity of Adobe Reader created a broad surface for potential vulnerabilities and that Adobe's inclusion of a JavaScript engine could have introduced implementation bugs.

He said: "The bug was discovered while investigating a previously disclosed and similar problem in another PDF application, highlighting the manner in which common implementation mistakes are frequently shared among multiple vendors."

It's not the first time Adobe has had security problems in the recent months. In August, Adobe investigated Flash banner ads hijacking users' clipboards, while in October Adobe's website suffered a SQL injection attack.