Adobe admits JavaScript flaw in Acrobat

I talked about the flaw that allowed Vista to fall in the Pwn2Own competition this year very briefly but I never did get into much detail. But since Adobe has admitted the flaw exists in another Adobe product it is worth bringing up again.

The issue is JavaScript and the way that Acrobat and Flash (the plug-in for Flash and Flash Player) handle it. They just do not do so very well at all. Because of this little problem arbitrary code can be executed by Malicious JavaScript (applets) on a system through these two 3rd party applications. It was this exact flaw in the way JavaScritpt is handled by Flash that allowed Vista to be hacked. It seems that in addition to poor handling it also allows the UAC feature in Vista to be bypassed for code executed by the plug-in and the application.

Adobe, although they have admitted to the flaw, has not given a time line for fixing the affected applications with include Acrobat (Reader as well) 9.1, 8.1.4, 7.1.1 and earlier.

Read more here

Initially the firm said the vulnerability only afflicted its cumbersome Reader.

It appears the software's execution of JavaScript is flawed, allowing attackers to run code on targeted systems or crash applications willy-nilly.

Adobe Reader and Acrobat versions 9.1, 8.1.4, and 7.1.1 and earlier are vulerable. Adobe said it hadn't found any live expolits yet.