Adobe fixes undisclosed vulnerabilities in Reader

by Jeremy Kirk

February 6, 2008 —

Adobe released on Wednesday
an update that fixes vulnerabilities in its widely used Reader document viewing
program.

Users are urged to upgrade to version 8.1.2, available
for download on Adobe's Web site.

Adobe has not given out details of the vulnerabilities, even though the company
has a section on its Web site detailing security advisories for Reader.

That could indicate that the vulnerabilities are fairly serious and could result
in a compromised PC, said Thomas Kristensen, chief technical officer for Secunia,
a security vendor in Denmark.

Secunia is performing a binary analysis of the old and new versions of Reader
to figure out the vulnerabilities. However, that analysis takes one to three
days, Kristensen said.

Kristensen said no proof-of-concept code has been seen yet and no attacks have
been reported. But people should be especially cautious of PDFs (Portable Document
Format), the common file type that Reader opens.

"PDFs are generally highly trusted," Kristensen said. "It's
a common format for exchanging information."

Secunia estimates that more than 60 percent of home PC users have the Reader
program, based on data from one of its software products that checks to see
if programs have up-to-date patches. Corporate use of Reader is less, around
30 percent, since many companies use other business applications that can open
PDFs, Kristensen said.

Hackers seized on PDFs last year after the disclosure of a protocol handling
vulnerability involving Windows. The problem allowed them to create malicious
PDF documents that would infect a PC with malicious software if opened.

Adobe officials could not be reached.

IDG News Service