Adobe is warning users about another new vulnerability in its Reader application that causes the software to crash and could possibly lead to remote code execution as well.
The new Reader bug was disclosed on Thursday on the Full Disclosure mailing list and Adobe security officials said that they’re investigating the problem and looking into a potential fix. The bug can be used to cause a denial-of-service condition on vulnerable machines, Adobe said. However, one of the new security measures that the company introduced earlier this year can be used to help protect against attacks on the flaw.
Adobe’s JavaScript Blacklist Framework is designed to prevent malicious APIs from running, and Adobe said that the tool can be used to stop attacks on the new Reader vulnerability. IT staffs have to enable and populate the blacklist manually, and Adobe has explicit instructions in its advisory on how to do that.
Today’s news is the latest link in a growing chain of problems that have cropped up for Adobe recently. The company on Thursday pushed out a patch for a publicly disclosed bug in its Flash Player software that was being used in targeted attacks and is planning to patch that same bug in Reader later this month. And the company faced a similar situation with its Shockwave application last month.
Adobe patches Reader on a regular quarterly schedule, and the last release was Oct. 5, which was a week earlier than scheduled. It’s not clear whether Adobe would release a patch for this lastest Reader bug before the next scheduled update.
