A new flaw in Adobe Reader could be leveraged to hack into computers, French security research firm Vupen Security reported Friday.

 Adobe Systems warned of the bug Thursday, after it was revealed in attack code posted to the Full Disclosure mailing list. Soon after, Adobe said the attack could crash a computer, but that it also "may be possible" to use the attack to run unauthorized software on a victim's computer. That would make the attack attractive to criminals, who are always on the lookout for new ways to distribute their malicious software.

On Friday, Vupen said that they had tested the attack and "confirmed that the vulnerability could be exploited to achieve code execution," according to CEO Chaouki Bekrar.

"We confirmed code execution with Adobe Acrobat 9.4 on Windows," he wrote in an e-mail interview. Vupen's tests confirmed that the attack worked on Windows XP, Service Pack 3, Bekrar said. "Other platforms including Mac OS X and Unix/Linux are affected too, and the vulnerability is likely to be exploitable for code execution on these systems."

This is his technical explanation of the bug: "the crash results from a heap corruption within the "EScript.api" plugin when processing the undocumented "printSeps()" function in a PDF document."

For people with Reader installed on their computers, the important part is that the flaw could be exploited someday by criminals, either by sending maliciously encoded .pdf files via email, or by posting them on websites.

According to Vupen, the flaw has actually been public for much longer than previously realized. "[T]he bug was initially disclosed by an unknown Russian researcher who posted a proof-of-concept on his blog 6 months ago... however, he was not able to exploit the crash for code execution," Bekrar said. Adobe said Friday that it was still investigating the issue, but the company acknowledged in its blog post that it was possible to use the flaw to run software on another machine. In its blog post, Adobe advises users to try its [JavaScript Blacklist Framework to mitigate the attack. Users can also turn off JavaScript in Reader (Edit --> Preferences --> JavaScript). This prevents most known reader attacks, but it can also prevent .pdf forms from working properly.

Adobe says it plans to update Reader the week of 15 November.