Vulnerabilities in Adobe Acrobat and Reader, Opera, Apple QuickTime, and OpenOffice

Adobe Acrobat Vulnerable to Cross-Site Forgery Attack

Three vulnerabilities were discovered in Adobe Acrobat and Reader that could allow a remote intruder to launch cross-site scripting attacks against the user of an affected system. The vulnerabilities are the result of improper sanitation of input passed to a PDF file, which in some cases could allow an intruder to inject arbitrary JavaScript code into the sytem.

Adobe said that Acrobat 8.0 and Reader 8.0 aren't affected by the vulnerability, so customers are advised to upgrade to these versions if possible. The company also said it will release an update to versions 7.0.8 and earlier of Adobe Reader and Acrobat this week to correct the problems in these versions.

Opera Web Browser Vulnerable to DoS

Opera contains two vulnerabilities that could allow a remote intruder to crash an affected browser, thereby creating a Denial of Service (DoS) condition. The first potential problem results from passing an incorrect object to createSVGTransformFromMatrix, which might allow the execution of arbitrary code. Opera Software reports that users who've disabled JavaScript aren't affected.

The second potential problem occurs when a specially crafted marker is inserted into a a JPEG file header, which crashes the browser and could cause a heap overflow.

Opera Software recommends that people upgade to Opera 9.10 to avoid these problems.

Apple Quicktime Vulnerable to Execution of Arbitrary Code

A serious vulnerability in the Apple Quicktime player might allow an intruder to to compromise an affected system through the execution of arbitrary code. Apple is aware of the problem, but no official patch for Windows or OS X is available for the problem at this time. However a third-party patch is available for OS X users, at the URL below.

OpenOffice Vulnerable to Heap Overflows

John Heasman of NGSSoftware reported that OpenOffice contains heap overflow vulnerabilities that could be exploited by an intruder to execute arbitrary code, thereby compromising an affected system (at the first URL below). OpenOffice developers are aware of the problems, which were resolved with the release of OpenOffice 2.1.0 (at the second URL below).

TAGS: Security
Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.