Adobe (NASDAQ: ADBE) last Tuesday released a major update to address a number of vulnerabilities in its popular PDF reader and Acrobat software. According to the company, 18 different vulnerabilities were corrected by the patch, which includes a number of bugs that are currently being actively exploited.

However, a researcher is now saying that last week's update does not fully resolve a known critical vulnerability. A senior security researcher at the Vietnam-based Bkis Internet Security demonstrated how the auto-launch vulnerability still exists on a patched system, allowing a maliciously crafted PDF file to directly launch external applications.

In fact, nothing more than the inclusion of a quotation around the launch command is required to perform the same action in a patched installation, which casts doubts in my mind as to whether Adobe is making a serious attempt to close this hole. Thankfully, a separate vulnerability that allowed an attacker to modify the warning message that is displayed prior to the auto-launch has been fixed though, which makes the exploitation of the former bug harder to succeed.

In the meantime, my advice on using Adobe's popular PDF reader and Acrobat software stands: Make use of one of the free, third-party PDF readers where possible. If the choice is not yours to make however, then at least install the patch and keep your eyes peeled when opening PDF files from non-trusted sources.

For more on this story:
- check out this article at The Register
- check out this article at PCWorld

Related Articles:
Adobe warns vulnerability could crash systems
Adobe apologizes for 16-month-old Flash bug
Adobe ranks second on buggiest software list