Adobe Reader and Acrobat contain multiple security flaws attackers could exploit to execute malicious commands on victims' computers, the French Security Incident Response Team (FrSIRT) warned in an advisory.
Adobe recommends users of Adobe Reader 7.0 through 7.0.8 upgrade to Reader 8 to fix the problems. It also released a workaround.
FrSIRT said memory corruption errors exist in the AcroPDF ActiveX control, also known as AcroPDF.dll. Because of this, the application mishandles malformed arguments passed to the "setPageMode()", "setLayoutMode()", "setNamedDest()", and "LoadFile()" methods. Attackers could exploit this to execute arbitrary commands by tricking the user into visiting a specially crafted Web page with Internet Explorer.
Adobe acknowledged the existence of the flaws in an advisory, saying, "These vulnerabilities would cause the application to crash and could potentially allow an attacker to take control of the affected system."
The problems affect Adobe Reader 7.0.0 through 7.0.8 and Adobe Acrobat Standard and Professional 7.0.0 through 7.0.8 on the Windows platform when using Internet Explorer. Users of other browsers are not affected, Adobe said.
Adobe also said the following workaround will prevent exploits from occurring:
- Exit Internet Explorer and Adobe Reader.
- Browse to
:Program FilesAdobeAcrobat 7.0ActiveX. [If Acrobat is not installed to the default location, browse to the location of the Acrobat 7.0 folder.]
- Select AcroPDF.dll and delete it.