The flaw, which came to light yesterday, is the software’s execution of Javascript and allows attackers to ether run code on target systems or crash the application. US-CERT has also issued an advisory on the problem, which occurs in the "getAnnots" JavaScript function.
“All currently supported shipping versions of Adobe Reader and Acrobat (Adobe Reader and Acrobat 9.1, 8.1.4, and 7.1.1 and earlier versions) are vulnerable to this issue,” said Adobe in a blog posting.
“Adobe plans to provide updates for all supported versions for all platforms (Windows, Macintosh and Unix) to resolve this issue.”
The company has given a timeline for the release of a patch but has said that, so far, no exploits have been seen in the wild.
The announcement is embarrassing for Adobe, coming after flaws that appeared last month. Some security experts are now recommending people switch to free alternative readers.
"We've said it before but it's worth repeating — use an alternative to Adobe Acrobat Reader ," said Patrik Runald, a security response manager at F-Secure in the company blog.
“We won't recommend any reader over another as it would be better if people use a wide variety of them. A list of readers can be found here, pdfreaders.org. Others are Foxit, CutePDF, etc.”
