Adobe's Reader, Acrobat patch fails to plug hole

Poor old Adobe. Not only is the golden balls of tech, Steve Jobs, picking on it, but its best efforts to plug any deficiencies its software may have seem to be coming to nowt.

This week, the firm plugged a flaw in its Reader and Acrobat components which could allow an nefarious attacker to remotely execute a malicious application through code sneakily embedded in a PDF file.

But security researcher Le Manh Tung has reported that the patch can be easly circumvented.

Tung explains on his bog how simply modifying a theoretical attack with a couple of quatiation marks gets around Adobe's attempt at patching the vulnerability.

The "threat of exploit code execution still remains," he writes.

Adobe has acknowledged the problem on a bog of its own. Director of product security and privacy, Brad Arkin said Adobe had "determined that disabling the ability to open non-PDF file attachments with external applications by default would negatively impact a significant part of our customer base by breaking existing workflows. As an alternative, we added attachment blacklist functionality to block attempts to launch executables or other harmful objects by default."

He admits "blacklist capabilities alone are not a perfect solution to defend against those with malicious intent" as highlighted by Tung, but claims: "this option reduces the risk of attack, while minimizing the impact on customers relying on workflows that depend on the launch functionality"

Meanwhile, its back to the drawing board as the company endeavours to secure its holey offerings.

"While blacklist capabilities alone are not a perfect solution to defend against those with malicious intent, this option reduces the risk of attack, while minimizing the impact on customers relying on workflows that depend on the launch functionality," Arkin wrote.