Unpatched PDF bug poses growing threat, say researchers

An unpatched bug in popular PDF viewing and editing applications is much more dangerous than first thought, according to security researchers who have created exploits that sidestep Adobe's defensive recommendations.

Adobe Systems Inc. has known about the vulnerability in its Reader and Acrobat software since mid-January, but will not patch the problem until next Wednesday, March 11.

The bug first made news two weeks ago, when and pegged it as critical. Within days, other reports surfaced that in-the-wild attacks have .

Although Abode recommended that users disable JavaScript in Reader and Acrobat to protect themselves from the current attacks, other researchers now say that such a move may not help.

Last week, a researcher who works at the Danish vulnerability tracker Secunia said he had come up with an exploit that . "During our analysis, Secunia managed to create a reliable, fully working exploit which does not use JavaScript and can therefore successfully compromise users who may think they are safe because JavaScript support has been disabled," Carsten Eiram, chief security specialist, said in an entry to the company's blog.

On Tuesday, David Aitel, the founder and chief technology officer of Immunity Inc., made the same claim. "Things like this are harder than they look," he said in a message to his Dailydave security mailing list. "Pablo and Kostya had to work quite a bit on reliability every step of the way. But the Acrobat JBIG exploit now works nicely without any JavaScript heap spray." The exploit has been added to CANVAS, Immunity's commercial penetration testing product.