Software Engineering Institute

Adobe Acrobat and Adobe Reader provide an ActiveX control to allow applications such as Internet Explorer to open PDF files. The control, which is provided by the file AcroPDF.dll, fails to properly handle input to its methods. By calling certain methods with specific input, the application hosting the ActiveX control can crash.

More information about this issue can be found in Adobe Security bulletin APSB06-20.

By convincing a user to view a specially crafted HTML document (e.g., a web page or an HTML email message or attachment), an attacker may be able to cause Internet Explorer (or any program using the Adobe AcroPDF control) to crash. Note that this crash does not appear to be exploitable to execute arbitrary code.

Upgrade Adobe Reader as prescribed by Adobe
Adobe has addressed this issue in Adobe Reader 8. Users should upgrade to Adobe Reader 8 as soon as possible.

Users who are unable to upgrade to Adobe Reader 8 should upgrade to an unaffected version of the AcroPDF ActiveX control. Instrcutions on how to upgrade the AcroPDF ActiveX control are listed in Adobe Security bulletin APSB06-20.

Disable the AcroPDF ActiveX control

According to Adobe Security advisory APSA06-20, the AcroPDF ActiveX control can be disabled by taking the following steps:

1. Exit Internet Explorer and Adobe Reader.
2. Browse to <volume>:\Program Files\Adobe\Acrobat 7.0\ActiveX.
    Note: If you did not install Acrobat to the default location, browse to the location of your Acrobat 7.0 folder.
3. Select AcroPDF.dll and delete it.