Adobe Acrobat bug puts users at risk

A security vulnerability has been discovered in Adobe's Acrobat document reader that could leave users open to cyber attacks.

Adobe today confirmed the problem and said that although it has no reports of affected customers it has posted patches on its website that correct the flaw. Acrobat is free to download and lets users read PDF format documents.

The security hole can be exploited by a malicious user who could create a PDF file that, when viewed in Acrobat on Windows, would cause Acrobat to crash or to run arbitrary code on a PC.

Last month Microsoft admitted that its Outlook messaging software is vulnerable to similar problems, which could be exploited to allow an attacker to cause an email client to either crash or run malicious code.

In a security alert sent out to its customers today, antivirus company Panda said that until now, PDF was considered to be a safe format that posed no risk to users.

"The vulnerability makes it possible to include malicious code within a PDF file," said Panda. "This code, which could be a virus, worm or a Trojan Horse, would be executed as soon as the PDF document was opened."

The problem highlights the need to maintain servers as "clean environments" that house only strictly necessary software, said Panda. "Applications such as Adobe Acrobat, Microsoft Word, Access, Excel, for example, should therefore be removed from server machines," it added.

"If an administrator needs to consult a document, he/she should do so on his/her own workstation, and never on the server, as this would expose the server and consequently the entire network to the effects of viruses and other forms of malicious code."

More information is available at www.adobe.com/misc/pdfsecurity.html