A vulnerability report was made public yesterday concerning Adobe's popular Reader product – specifically, the implementation of Javascript with Acrobat-created documents.
The issue is present in all versions of Adobe Reader prior to 8.1.2 Security Update 1 as well as the commercial Acrobat packages used to create PDF files. The bug, discovered by the Information Security team at John Hopkins University's Applied Physics Laboratory, can result in a program crash with the potential to execute arbitrary code. It's a bad one, in other words.
Thankfully, the APL team followed reasonable reporting practices and reported the issue to Adobe; with forewarning about the issue before it becomes common knowledge the company was able to work on a advisory of their own, as well as the all-important patch to render the bug harmless.
Coming less than a month after a similar scripting language flaw was revealed in the Flash Player also produced by Adobe, it's clear that the company is going to have to do a bit of work on its image in the computer security world.
