A new security hole has been discovered in Adobe Reader which puts the PDF reader at risk of attacks from hackers – a month after potential exploits have been discovered in other Adobe Reader and other Adobe Products.

This vulnerability was discovered on all supported versions of Adobe Reader (versions 9.1, 8.1.4, 7.1.1 and earlier for both Reader and Acrobat) for all platforms, as announced by the Product Security Incident Response Team (PSIRT). The company was reported investigating the exploit reported that could be used to take advantage of this vulnerability.

According to the report posted in the PSIRT blog, Adobe is working on an update to address the problem on all platforms, and that a time line will be available for viewing soon. It is also mentioned that no other exploits are known to circulate on the internet that may jeopardize security.

 F-Secure, a security company observing this situation, has already advised users to change their PDF viewers for the meantime and take advantage of other third-party PDF viewers, particularly for users who just need to be able to read PDF files. It has already observed 47% of targeted attacks have been against Adobe Reader users.

Details concerning the exact nature of this vulnerability have been scant, but it is known that it concerns a problem with two methods in Adobe Reader’s Javascript implementation – getAnnots() and spell.customDictionaryOpen(). The getAnnots() function in particular can be exploited to run outside code on the machine containing Acrobat Reader.

So far, Adobe advises users to turn off Javascript support in Adobe Reader while the fix is underway. This is done by unchecking the “Enable Acrobat Javascript” box in the Preference tab.

This is the second zero-day security hole discovered in Adobe Reader, the first one bein a buffer overflow bug in Reader and Acrobat reported in February. A researcher later was able to show that even without opening and merely storing a PDF file taking advantage of the vulnerability can trigger the attack. This revelation came after Adobe released a critical security update for the Flash player.

Many users tend to take for granted third-party applications used to open different files and forget to update them. This has given companies like Securia an initiative to encourage other developers to create an industry-wide standard application to update third-party applications.