Adobe acknowledged that all versions of its popular PDF software, including editions for Windows, the Mac and Linux, contain at least one, and possibly two, critical vulnerabilities.
“All currently supported shipping versions of Adobe Reader and Acrobat, [versions] 9.1, 8.1.4, and 7.1.1 and earlier, are vulnerable to this issue,” said David Lenoe, the company’s security program manager, in a
went public early Tuesday.
“Adobe is also currently investigating the issue posted on SecurityFocus as BID 34740,” Lenoe added. That “Bugtraq ID,” or BID number has been assigned to a
Proof-of-concept attack code for both bugs has already been published on the Web.
According to Lenoe, Adobe will patch Reader and Acrobat, though he did not spell out a timetable for the fixes. “We are working on a development schedule for these updates and will post a timeline as soon as possible,” he said.
owned up to a different critical vulnerability, one that was already being used by attackers at the time.
If Adobe’s patching pace for the newest bugs matches that of the February incident, it should have a fix available during the week of May 18.
Some security experts have urged users to switch PDF viewers. Finnish security company F-Secure Corp. repeated that recommendation today. “We’ve said it before, but it’s worth repeating — use an alternative to Adobe Acrobat Reader,” said Patrik Runald, a security response manager at F-Secure, in a
More information will be posted to
Abobe’s security site as it becomes available, said Lenoe.