Blog: Acrobat Reader

A client of ours frequently uses a web application to manage customer data and print various documents in PDF format. Users started to complain that they would try and produce a PDF document that was populated with unique costomer data, but there were 'strange words' (they were actually variable names) where the customer data should have been. Normally when our client clicked the "Print" function from within the web application, the webapp would open a new browser window, then opened a PDF  document with the cutomer info merged into a PDF form. This problem was happening only when users accessed this webapp from a Terminal Server session. A similar behavior was happening with a webapp on a different website as well (also only happening on the Terminal Server). [more]

To use this particular web app, the user has to have a unique certificate installed on their machine. Initially I thought that the XML data was not being retrieved properly due to a problem with the certificate, thus the PDF was being merged with an empty data set. After confirming that the certificate was in order, I spending a significant amount of time investigating the Permissions and Trust Manager settings within Acrobat Reader 7 on the Terminal Server. Editing these settings did not alter the behavior of these webapps.

About the time I was considering a re-installation of Acroat Reader on this Terminal Server, I noticed within Acrobat 7's "Internet" preferences a check box labeled "Display PDF in Browser". This option was checked (as it should have been) but I decided to toggle this setting off, apply, then toggle it back on, and apply. This restored the web apps XML-PDF form merging functionality. It appears that the PDF form was unable to access the XML data from the IE pop-up window that initially launched the PDF document. It is still unknown why this particular Adobe setting stopped being enforced (when previously it WAS being enforced). The broken functionality did not coincide with any system event. The web app techinal support team was unable to explain WHY this happened, but they did confirm that they had seen this happen before. The moral of the story... even if everything looks correct on the surface, that doesn't mean it really is.

In a bulletin released October 22, 2007, Adobe announced a critical vulnerability in its Acrobat and Reader programs. This vulnerability could allow a successful attacker to take control of the affected system. In order for the attacker to compromise the system, they must get you to open a malicious file in Adobe Reader or Acrobat.

This vulnerability affects users running Windows XP or Windows 2003 with Internet Explorer 7 installed. Vista users are not affected. Adobe versions 8.1 and earlier are susceptible to this vulnerability. Adobe categorizes this as a critical issue and recommends that affected users update their product installations.  [more]

For Adobe versions 8.1, Adobe strongly recommends that you upgrade to Adobe Reader 8.1.1 or Acrobat 8.1.1. Users can utilize the product’s automatic update feature or manually activate the update by choosing Help > Check for Updates Now from the program's menu. You can also find update files here:
•  Adobe Acrobat: http://www.adobe.com/support/downloads/product.jsp?product=1&platform=Windows

•  Adobe Reader: http://www.adobe.com/support/downloads/product.jsp?product=10&platform=Windows

For Adobe versions 7.09 or earlier, Adobe will release an update in the near future, so you should continue to check the Adobe support site for available updates.

For more information about this vulnerability, please refer to the following article on Adobe's website:
http://www.adobe.com/support/security/bulletins/apsb07-18.html

For help applying this critical security update to your Adobe applications, please contact us.