Adobe has warned that its Reader and Acrobat PDF software is vulnerable to an unpatched vulnerability.

A pair of flaws in the JavaScript functions of the PDF reading application are behind the problem, prompting Adobe to advise surfers to disable JavaScript as a workaround, pending the availability of a patch. Even after a patch becomes available, the problem may hang around for months. The vulnerability is a cross-platform flaw that affects Windows, Macs and Linux machines running Adobe's software.

Analysis on the response to the last such vulnerability from Adobe by security scanning firm Qualys, which dates back to February, shows that users were very slow at applying patches. Applying application security updates, as distinct from operating system patches, is becoming the most pressing problem in patching, according to Wolfgang Kandek, CTO at Qualys.

Security firms, such as Sophos and F-Secure (here), both advise surfers to consider the use of alternative PDF reader packages (list here), as a way of moving away from a monoculture of PDF readers, which is bad security practise. ®

Related stories

• Mozilla catches half of Firefox users running insecure Flash (17 September 2009)
• Adobe patches 'critical' flaws in ColdFusion, JRun (18 August 2009)
• Adobe spanked for insecure Reader app (22 July 2009)
• Adobe's quarterly patch cycle to commence Tuesday (6 June 2009)
• Adobe convenes 'Come to Jesus' meeting for buggy Reader app (20 May 2009)
• Zero-day Adobe PDF peril goes click free (5 March 2009)
• Updated Unofficial patch plugs 0-day Adobe security vuln. (24 February 2009)
• Web browsers face crisis of security confidence (23 June 2008)
• Updated Attack code in the wild targets new (sort of) Adobe Flash vuln (27 May 2008)
• CanSecWest Only Ubuntu left standing, as Flash vuln fells Vista in Pwn2Own hacking contest (29 March 2008)
• Adobe Reader Trojan predates mystery update by two weeks (11 February 2008)
• Nasty PDF exploit runs wild (24 October 2007)