[gui-talk] Article: Adobe Issues Patch for PDF-related Vulnerability

[Steve Pattison]

One place where you can download Adobe Reader version 8.1.1 mentioned 
in this article from is at www.majorgeeks.com/Adobe_Reader_d3852.html.  -Steve.

Adobe Issues Patch for PDF-related Vulnerability
By Scott M. Fulton, III,
BetaNews
October 22, 2007, 4:01 PM

It ended up not being Adobe's problem to begin with anyway: a 
vulnerability that enabled JavaScript code within a specifically 
crafted URL to run unchecked, and launch any executable code. When 
Petko D. Petkov of GNUCitizen.org discovered the problem, it appeared 
to have been directly triggered by Adobe Acrobat or Adobe Reader.

As it turned out, Windows XP and Internet Explorer 7 have a little 
difficulty with parsing filenames that contain percent signs (%). A 
maliciously crafted URL that points to a PDF file can have XP launch 
executable code
after it launches the reader for the PDF file. While it wasn't 
Acrobat or Reader that triggered the launch,
a fix from Adobe issued today purports to thwart the launch, keeping 
the system secure.

BetaNews downloaded and tested Adobe's 8.1.1 patch for Acrobat 
Professional, with a proof-of-concept URL that we had seen previously 
load the Windows Calculator as proof it could launch any code without 
security checks. Now the application instead pulls up a dialog box, 
which reads, "Acrobat does not allow connection to: 
mailto:test%../../../../../../../../windows/system32/calc.exe".cmd"

Today's updates work with version 8 of the reader software. In its 
advisory to users
today, Adobe said a future update will be made available for version 7.


Regards Steve
Email:  srp at internode.on.net
Skype:  steve1963
MSN Messenger:  internetuser383 at hotmail.com