Adobe secretly patches critical PDF flaw

The company silently slipped in a fix for a critical vulnerability that prevents PDF files from being used in code execution attacks, eWEEK reports.

Immunity confirmed the fix by reverse-engineering the patch, and discovered a fix for a stack overflow issue, normally afforded a "highly critical rating" by Adobe.

At least one security firm, Immunity, has published proof-of-concept code for the flaws. As evidence that this flaw was fixed in Reader 8.1.2, news outlets confirmed it crashed unpatched versions of Reader.

Secunia estimates that six in ten Windows Reader users may be vulnerable to attacks using this method, derived from their Personal Software Inspector surveys.

The security community is apparently up in arms over the fix because there was no published disclosure of it. The release notes for the patch only allude to "security vulnerabilities," but no specifics.

A request for comment from Adobe was outstanding at press time. As of late Wednesday afternoon, no public advisory on the flaw had been published to the company's website.