Windows users running Adobe Reader and Acrobat Standard and Professional versions 7.0.0 through 7.0.8 can be affected by the flaws when using Internet Explorer (IE).
The bugs are caused by "memory corruption errors in the AcroPDF ActiveX control…that does not properly handle malformed arguments," according to an advisory released this week by the French Security Incident Response Team (FrSIRT), which rated the threat critical and remotely exploitable.
Adobe offered a workaround in an advisory released Tuesday and said that its Secure Software Engineering and Adobe Reader Engineering teams are working together to resolve the problems. The company also noted that Acrobat 8 and a soon-to-be-released updated version of Reader do not contain the vulnerabilities.
As a fix, FrSIRT advised users to set a "kill bit" for CLSID, an identification tag associated with ActiveX objects that creates a specific component or server.
Researchers recently discovered an uptick in ActiveX bugs, used to enhance the IE's functionality.
"We're seeing a lot of problems with the web browsers," Lamar Bailey, security operations manager of X-Force, IBM Internet Security System's (ISS) research and development team, told SCMagazine.com earlier this month. "The browser is getting more sophisticated and the technologies are not as proven yet. People are looking at them and finding ways to exploit them."
Click here to email Dan Kaplan.
Adobe working on Reader, Acrobat vulnerabilities
By Dan Kaplan on Nov 30, 2006 7:51PM