Another Adobe Acrobat Reader Vulnerability

According to Adobe’s Security Advisory site there is another error with the Adobe Acrobat Reader program.

For those of you that do not know, when you visit a web site and click on a PDF file link to open it, this is the program that opens that PDF file right in your web browser.

The error is in the actual program itself, which lives on your computer. There is a flaw in the code that leaves you open to possible attack and it is to that fact that Adobe is alerting everyone.

Additionally, this newest error (which is different from the Acrobat error announced last week) has been give Adobe’s highest rating of “critical”. According to Adobe, this is the definition of a critical error:

A vulnerability, which, if exploited would allow malicious native-code to execute, potentially without a user being aware.

They are recommending that you upgrade to the latest version of Adobe Acrobat Reader

OR (not recommended by Adobe ;))

Switch to Brava! PDF reader. This is the one that I use for several reasons and now I have one more reason ;).

If you are a webmaster and want to protect visitors to your website who may click-to-open PDF files that you are publishing, there are some things you can do also.

For IIS 6.0 servers:

1. Open the Internet Information Services Manager.
2. Locate the folder containing PDFs under your Web site.
3. Right-click the folder and select Properties.
4. Select the HTTP Headers tab.
5. Click the MIME Types… button.
6. Click the New… button to create a new MIME type.
7. Enter pdf for the Extension and application/octect-stream for MIME type.
8. Click ok.
9. Click ok.
10. Click ok to apply the changes.

For Apache 2.2.3 Servers
Use mod_mime and AddType or mod_rewrite

1. Open httpd.conf
2. Locate the section
3. Insert AddType applaction/octect-stream .pdf
4. Close and Save httpd.conf
5. Restart the Apache Service

If you are not comfortable with the above steps, do not attempt them. Alternatively, if you are with a managed host provider, contact them and see if they have taken these steps (probably they have not ;)).