Adobe Confirms Acrobat JavaScript Security Threat

Adobe has begun warning Adobe Acrobat and Adobe Reader users that a reported zero-day security flaw involving JavaScript is real, and that there may be two critical vulnerabilities in the applications. The security flaws impact all versions of Acrobat and Adobe Reader on Mac OS X, Windows and Linux.

The flaw could allow an attacker to execute arbitrary code on the users computer, but doesn't allow for escalating privileges above the user's current level -- meaning if the user isn't an administrator, the attack won't be able to perform administrator-level tasks.

Adobe is working on a fix, and is suggesting users disable JavaScript in Acrobat and Adobe Reader until the security update is released. Here's how:

  • Launch Acrobat or Adobe Reader and choose Acrobat > Preferences
  • Select JavaScript
  • Uncheck Enable Acrobat JavaScript

Proof of concept code is available for the exploit, but there aren't any reported incidents of an actual attack.

Adobe hasn't said when it expects to release a fix, but it does plan to offer patches for all currently supported versions of the applications.