Adobe Confirms Acrobat JavaScript Security Threat

| News

Adobe has begun warning Adobe Acrobat and Adobe Reader users that a reported zero-day security flaw involving JavaScript is real, and that there may be two critical vulnerabilities in the applications. The security flaws impact all versions of Acrobat and Adobe Reader on Mac OS X, Windows and Linux.

The flaw could allow an attacker to execute arbitrary code on the users computer, but doesn't allow for escalating privileges above the user's current level -- meaning if the user isn't an administrator, the attack won't be able to perform administrator-level tasks.

Adobe is working on a fix, and is suggesting users disable JavaScript in Acrobat and Adobe Reader until the security update is released. Here's how:

  • Launch Acrobat or Adobe Reader and choose Acrobat > Preferences
  • Select JavaScript
  • Uncheck Enable Acrobat JavaScript

Proof of concept code is available for the exploit, but there aren't any reported incidents of an actual attack.

Adobe hasn't said when it expects to release a fix, but it does plan to offer patches for all currently supported versions of the applications.

Popular TMO Stories



Another good reason to use Preview!


I stopped using Adobe Reader for Windows ages ago.  From version 7 up the load time for Adobe was unbearably slow.  Then there were the increased number of threats.  For the Windows platform I now use Fox-It reader.

On the OS X Leopard side of the house, I just go with the built-in .pdf functions.  For my limited pdf needs this works fine. I also disable javascript in XP Pro.

Log in to comment (TMO, Twitter or Facebook) or Register for a TMO account