Adobe Reader is one of the most oft-used programs in the world. (Probably next to MS Word and other word processors.) And we all think it’s safe because it just reads a document format and displays it.
To our surprise, we learned earlier this year that the Adobe Reader processes JavaScript that can be embedded in its PDF documents. Once again, here in December 2009, another vulnerability allows JavaScript can be exploited to turn a PDF into a malicious piece o’ stuff.
The fault won’t be fixed until mid-January 2010. Big companies have long turnaround on fixing software. Yes, they have to test to be sure everything still works after they make a fix – but meanwhile we can’t safely open PDF documents unless we have JavaScript turned off.
The attack vector is to send a poisoned PDF file to intended target individuals, purporting to be “From: a friend” and hoping that they’ll open the attached PDF thinking that it’s safe. Wrong again. You won’t be caught by this, will you?