Heads up: Patch your Adobe Reader now

Critical vulnerability in Adobe Reader 8(See important update below for information on patching this vulnerability).

Heads up for Windows users: There’s a critical, remotely exploitable vulnerability in Adobe Acrobat/Reader version 8.

According to an advisory from Core Security, Adobe Reader suffers from a stack buffer overflow when parsing specially crafted (invalid) PDF files. The flaw could be exploited if a user is tricked into opening a rigged PDF file, the company warned.

From the alert:

  • The vulnerability is caused due to a boundary error when parsing format strings containing a floating point specifier in the “util.printf()” JavaScript function. Successful exploitation of the vulnerability requires that users open a maliciously crafted PDF file thereby allowing attackers to gain access to vulnerable systems and assume the privileges of a user running Acrobat Reader. Adobe Reader version 9, which was released in June 2008, is not vulnerable to the reported problem.
  • A specifically crafted PDF file that embeds JavaScript code to manipulate the program’s memory allocation pattern and trigger the vulnerability can allow an attacker to execute arbitrary code with the privileges of a user running the Adobe Reader application.

Vulnerable versions: Adobe Reader 8.1.2 and Adobe Acrobat 8.1.2.

If, for some reason, you can’t upgrade to the latest version, Core says a possible workaround for this vulnerability is to disable JavaScript in Adobe Reader and Acrobat (in the software’s Edit/Preferences menu). Disabling JavaScript will prevent the issue, although it will also prevent many basic Acrobat and Reader workflows from properly functioning.


An Adobe security bulletin regarding the vulnerabilities has been published. The product updates are available at: http://www.adobe.com/support/downloads/detail.jsp?ftpID=4084 (Windows), http://www.adobe.com/support/downloads/detail.jsp?ftpID=4093 (Mac), http://www.adobe.com/support/downloads/detail.jsp?ftpID=4094 (Linux/Solaris).