Adobe investigating new Reader flaw. Adobe is warning users about another new vulnerability in its Reader application that causes the software to crash and could possibly lead to remote code execution as well. The new Reader bug was disclosed November 4 on the Full Disclosure mailing list and Adobe security officials said that they are investigating the problem and looking into a potential fix. The bug can be used to cause a denial-of-service condition on vulnerable machines, Adobe said. However, one of the new security measures that the company introduced earlier this year can be used to help protect against attacks on the flaw. Adobe’s JavaScript Blacklist Framework is designed to prevent malicious APIs from running, and Adobe said that the tool can be used to stop attacks on the new Reader vulnerability. IT staffs must enable and populate the blacklist manually, and Adobe has explicit instructions in its advisory on how to do that. Adobe patches Reader on a regular quarterly schedule, and the last release was October 5, which was 1 week earlier than scheduled. It is not clear whether Adobe would release a patch for this latest Reader bug before the next scheduled update.
Source: http://threatpost.com/en_us/blogs/adobe-investigating-new-reader-flaw-110510
No comments:
Post a Comment