Adobe Systems Inc. has posted a workaround for a critical zero-day flaw in its widely-used programs for making and reading .pdf documents. Attackers could exploit the flaw to hijack Windows machines.
The flaw affects Adobe Reader 8.1 and earlier versions, Adobe Acrobat Standard, Professional and Elements 8.1 and earlier versions; and Adobe Acrobat 3D. Millions of people use Adobe Acrobat to create .pdf documents and Adobe Reader to view them. Researcher Petko D. Petkov first disclosed the security hole Sept. 20, writing in the GNUCitizen blog that "the issue is quite critical given the fact that .pdf documents are in the core of today's modern business. This and the fact that it may take a while for Adobe to fix their closed-source product are the reasons why I am not going to publish any POCs (proof-of-concept code).
The flaw specifically threatens those running Windows XP with Internet Explorer 7.
As a workaround, Adobe recommended users disable the "mailto:" option in Acrobat, Acrobat 3D 8 and Adobe Reader by "modifying the application options in the Windows registry. Additionally, these changes can be added to network deployments to Windows systems."
This isn't the first time Adobe users have faced a serious security threat. In January, security experts were rattled by the disclosure of easily-exploitable Adobe Reader flaws that could be used for cross-site scripting attacks and other mayhem.