Holes in Adobe Reader...

May 2009

Another Adobe Reader security hole emerges. Security experts are recommending that people disable java_script in Adobe Reader following reports of a vulnerability in the popular portable document format reader on April 28. The vulnerability appears to be due to an error in the “getAnnots()” java_script function and exploiting it could allow someone to remotely execute code on the machine, according to an advisory from the US-CERT. “US-CERT encourages users and administrators to disable java_script in Adobe Reader to help mitigate the risk,” the post said. “To disable java_script in Adobe Reader, open the General Preferences dialog box. From the Edit-Preferences-java_script menu, uncheck ‘Enable Acrobat java_script.’” All currently supported shipping versions of Adobe Reader (8.1.4, 9.1 and

7.1.1 and earlier) are vulnerable and Windows, Macintosh and Unix platforms are affected, Adobe said in an advisory. The company said it would release updates for all the platforms but did not yet have a time frame for that. “We are currently not aware of any reports of exploits in the wild for this issue,” the advisory said.