Adobe Fixes Reader Flaw, Warns Of New Bug In Download ToolAdobe Fixes Reader Flaw, Warns Of New Bug In Download Tool

Adobe Systems updated its free Reader application Tuesday to fix a critical flaw disclosed last week, but then warned users of its Download Manager that attackers could hijack a Mac or Windows PC by exploiting a bug in that utility.

Adobe Reader 8.0 for Windows patched a vulnerability in the AcroPDF ActiveX control used to display PDF documents within Microsoft's Internet Explorer browser. Last week, Adobe said that the Windows versions of Reader 7.0 through 7.0.8 could be exploited to compromise PCs.

"Adobe Reader 7.0 through 7.0.8 users should upgrade to Reader 8," Adobe said in a Tuesday bulletin.

Adobe Acrobat versions 7.0 through 7.0.8, however, remain vulnerable to attack. For users of that application, Adobe on Tuesday provided a workaround that requires users to manually replace the vulnerable AcroPDF.dll file with one downloaded from the Adobe site.

But just as Adobe fixed one of its programs, it warned that another contained a bug.

Adobe Download Manager, a utility the company provides to help users download large files and updates from its Web site, is also vulnerable to attack. Mac OS X and Windows systems running version 2.1 and earlier could be compromised, although a successful exploit would need user help, said Adobe. "A malicious file must be loaded by the end user, via a Web browser or e-mail client for instance, for an attacker to exploit this vulnerability," the company said in a new security bulletin.

Users should uninstall Download Manager 2.1 and earlier, Adobe advised.

Adobe classified the Download Manager bug as "critical," while vulnerability trackers such as Secunia and FrSIRT labeled it "Highly critical" and "Critical," respectively.