A new flaw in Adobe Reader could be leveraged to hack into computers, French security research firm Vupen Security reported Friday.
Adobe Systems warned of the bug Thursday, after it was revealed in attack code posted to the Full Disclosure mailing list. Soon after, Adobe said the attack could crash a computer, but that it also "may be possible" to use the attack to run unauthorized software on a victim's computer. That would make the attack attractive to criminals, who are always on the lookout for new ways to distribute their malicious software.
On Friday, Vupen said that they had tested the attack and "confirmed that the vulnerability could be exploited to achieve code execution," according to CEO Chaouki Bekrar.
"We confirmed code execution with Adobe Acrobat 9.4 on Windows," he wrote in an e-mail interview. Vupen's tests confirmed that the attack worked on Windows XP, Service Pack 3, Bekrar said. "Other platforms including Mac OS X and Unix/Linux are affected too, and the vulnerability is likely to be exploitable for code execution on these systems."
This is his technical explanation of the bug: "the crash results from a heap corruption within the "EScript.api" plugin when processing the undocumented "printSeps()" function in a PDF document."
For people with Reader installed on their computers, the important part is that the flaw could be exploited someday by criminals, either by sending maliciously encoded .pdf files via email, or by posting them on websites.
Adobe says it plans to update Reader the week of 15 November.