Adobe is still investigating reports of a new code execution vulnerability in Adobe Reader and Acrobat, but recommends blacklisting the affected JavaScript function in the meantime.

The flaw was reported as a zero-day on Wednesday, when someone posted a proof-of-concept exploit on the Full Disclosure mailing list.

However, it appears the issue has been known as a Denial of Service (DoS) condition since almost a year ago, when it was disclosed on a Russian-language blog.

Adobe confirmed the DoS attack vector, but has not yet verified if the bug can be exploited to execute arbitrary code.

Nevertheless, French vulnerability research vendor VUPEN Security has published an advisory suggesting that it is possible.

The vulnerability is caused by a heap corruption error in the "EScript.api" plugin, triggered when a PDF document calls the "printSeps()" undocumented function.

More -
Adobe Suggests Workaround for New Reader Zero-Day - Softpedia

Posted By: JMH
06 Nov 2010