The vulnerabilities exist in two JavaScript functions getAnnots() and spell.customDictionaryOpen() and both allow remote code execution. Adobe acknowledged that all currently supported shipping versions of Adobe Reader and Acrobat (Adobe Reader and Acrobat 9.1, 8.1.4, and 7.1.1 and earlier versions) are vulnerable and that updates will be provided for all supported versions for all platforms (Windows, Macintosh and Unix) to resolve this issue. Moreover, it is hilghly recommended for those using Adobe Reader to disable JavaScript in PDF Reader as a temporary measure.

Because of the security issues with Adobe Reader (remember recent February’s security flaw, F-Secure Chief Research Officer Mikko Hypponen said at the RSA Security Conference that Internet users should switch to using an alternative PDF reader. Finally, he said that Adobe Reader is a very popular target for malware authors since more than 47 percent of this year’s attacks exploit vulnerabilities in Adobe Reader.