Adobe Reader hit by more zero-day flaws

Two more zero-day flaws have been found in Adobe Reader that could lead to users' machines being compromised.

The flaws, which versions of the software on all operating systems, concern the Javascript processing function in Adobe Reader. Exploiting either flaw could allow arbitrary code to be executed on a victim's machine. According to a Secunia advisory, they were discovered by a security researcher going by the nickname Arr1val.

The first flaw involves an error when processing calls to the getAnnots() Javascript method, which could be used to corrupt memory. The second flaw, which could also corrupt memory, can be invoked by using the customDictionaryOpen() command.

Adobe's PSIRT blog confirmed that the vulnerability applied to more than just the Linux versions of its software, which is the operating system on which they were originally discovered. "All currently supported shipping versions of Adobe Reader and Acrobat (Adobe Reader and Acrobat 9.1, 8.1.4, and 7.1.1 and earlier versions) are vulnerable to this issue," it said. "Adobe plans to provide updates for all affected versions for all platforms (Windows, Macintosh and Unix) to resolve this issue."

However, it did not give a projected release date for a patch resolving the issue, instead saying that it was working on a timeline.

Adobe's Reader program has been a cause of concern for enterprise and consumer users alike this year. In February, a zero-day vulnerability was found in the software, which allowed the remote execution of arbitrary code. The vulnerability, which occurred when the file was opened, was later found to exist even when users hovered their mouse over the PDF. Disabling Javascript failed to completely mitigate the problem.

Last November, a flaw was found which again allowed the execution of arbitrary code, this time through the util.printf Javascript function. That vulnerability was said to have been exploited in the wild after researchers found specially rigged PDFs online.

Adobe Reader hit by more zero-day flaws

You may also like

Adobe admits to another PDF security vulnerability

#DefCon US Government Only Holds Dozens of Zero-Days

Microsoft Lets Zero-day Exploit Linger for Seven Months

Internet Explorer zero-day blamed for Department of Labor website attack

Adobe issues hotfix for ColdFusion flaw

What’s hot on Infosecurity Magazine?

Alarming Decline in Cybersecurity Job Postings in the US

CrushFTP File Transfer Vulnerability Lets Attackers Download System Files

MITRE Reveals Ivanti Breach By Nation State Actor

How to Backup and Restore Database in SQL Server

Russia's Sandworm Upgraded to APT44 by Google's Mandiant

Massive Brute-Force Attack on Alibaba Affects Millions

Cybersecurity Pros Urge US Congress to Help NIST Restore NVD Operation

North Korean Group Kimsuky Exploits DMARC and Web Beacons

Report Suggests 93% of Breaches Lead to Downtime and Data Loss

US Government and OpenSSF Partner on New SBOM Management Tool

NIST Unveils New Consortium to Operate National Vulnerability Database

EU Elections: Pro-Russian Propaganda Exploits Meta's Failure to Moderate Political Ads

Incident Response: Four Key Cybersecurity Measures to Protect Your Business

Is MFA Enough? Strategies for Next-Level Identity Security in 2024

Disinformation Defense: Protecting Businesses from the New Wave of AI-Powered Cyber Threats

Navigating the Evolving Cybersecurity Compliance Landscape in 2024

Adapting to Tomorrow's Threat Landscape: AI's Role in Cybersecurity and Security Operations in 2024

Untangling the Web: Navigating Third-Party Risk in a Hyperconnected World

Infosecurity Magazine Spring Online Summit 2024: Day One

Infosecurity Magazine Spring Online Summit 2024: Day Two

Russia’s Midnight Blizzard Accesses Microsoft Source Code

I-Soon GitHub Leak: What Cyber Experts Learned About Chinese Cyber Espionage

LockBit Takedown: What You Need to Know about Operation Cronos

Women in Cybersecurity at Infosecurity Europe 2024