Unfortunately, it looks like there’s bad news for PDF users over the holidays.
After patching 7 vulnerabilities for its Flash Player on December 8th, Adobe still has 2 more exploitable vulnerabilities affecting its software line.
The first vulnerability affects Adobe’s Illustrator CS4, and exploits .eps (Encapsulated Postscript) files with overly long data. According to a news release from eWeek.com, the memory corruption errors that occur while opening infected .eps files can potentially crash an application, or execute arbitrary code.
The other bug concerns the latest versions of Adobe Reader and Adobe Acrobat. This comes after security improvements leading up to the latest 9.2 version were developed and implemented.
So far, according to Computerworld.com reports, the attacks have been in the form of PDF email attachments claiming to be from the CNN cable news channel. Once opened, the malicious PDF then drops malware on the user’s computer to steal information.
Moreover, the attack code being used on Reader and Acrobat was made public by a computer security project that helps legit security researchers to squash exploited bugs. This means that malicious users can take advantage of and build upon the exploit code itself, increasing the chance for widespread attack. So beware.
Although the vulnerabilities are being considered critical, Adobe won’t have a patch ready for this or the CS4 vulnerabilities until January 12, 2010. In the meantime, Adobe cautions users to keep their protection software up to date, avoid suspicious looking PDF attachments and to disable JavaScript.
