cancel
Showing results for 
Search instead for 
Did you mean: 

Critical Acrobat JavaScript Flaw

http://www.adobe.com/support/security/advisories/apsa09-02.html

Buffer overflow issues in Adobe Reader and Acrobat
Release date: May 1, 2009

Vulnerability identifier: APSA09-02

CVE number: CVE-2009-1492, CVE-2009-1493

Platform: All Platforms

Summary: A critical vulnerability has been identified in Adobe Reader 9.1 and Acrobat 9.1 and earlier versions. This vulnerability (CVE-2009-1492) would cause the application to crash and could potentially allow an attacker to take control of the affected system. A second vulnerability has also been reported that appears to affect Adobe Reader for Unix only (CVE-2009-1493).

Adobe is planning to release product updates to Adobe Reader and Acrobat to resolve the relevant security issues. Adobe expects to make available Windows updates for Adobe Reader versions 9.X, 8.X, and 7.X and Acrobat versions 9.X, 8.X, and 7.X, Macintosh updates for Adobe Reader versions 9.X and 8.X and Acrobat versions 9.X and 8.X, as well as Adobe Reader for Unix versions 9.X and 8.X, by May 12th, 2009. The Adobe Reader for Unix updates will resolve both security issues. A security bulletin will be published at http://www.adobe.com/support/security as soon as product updates are available.

In the meantime, to mitigate the issue disable JavaScript in Adobe Reader and Acrobat using the following instructions below:

1. Launch Acrobat or Adobe Reader.
2. Select Edit>Preferences
3. Select the JavaScript Category
4. Uncheck the ‘Enable Acrobat JavaScript’ option
5. Click OK

Adobe is currently not aware of any reports of exploits in the wild for these issues.

Users may monitor the latest information on the Adobe Product Security Incident Response Team blog at the following URL: http://blogs.adobe.com/psirt or by subscribing to the RSS feed here: http://blogs.adobe.com/psirt/atom.xml.

Affected software versions: Adobe Reader 9.1 and earlier versions
Adobe Acrobat Standard, Pro, and Pro Extended 9.1 and earlier versions

Severity rating: Adobe categorizes this as a critical issue and recommends that users disable JavaScript in Adobe Reader and Acrobat prior to the availability of Adobe product updates and exercise caution when opening files from untrusted sources.
2 Replies

RE: Critical Acrobat JavaScript Flaw

 

Adobe is currently not aware of any reports of exploits in the wild for these issues.



As of today, security experts have found 'zero-day' exploits in use in the wild to compromise computer security.

Update Now Available

May 12, 2009

An Update is now available for Adobe Acrobat versions 7, 8, and 9.

http://www.adobe.com/support/security/bulletins/apsb09-06.html


Details
A critical vulnerability has been identified in Adobe Reader 9.1 and Acrobat 9.1 and earlier versions. This vulnerability (CVE-2009-1492) would cause the application to crash and could potentially allow an attacker to take control of the affected system. A second vulnerability has also been reported that appears to affect Adobe Reader for UNIX only (CVE-2009-1493). These issues are remotely exploitable.

Adobe recommends users of Acrobat and Adobe Reader update their product installations to versions 9.1.1, 8.1.5, or 7.1.2 using the instructions above to protect themselves from potential vulnerabilities. Adobe expects to make available Adobe Reader 7 and Acrobat 7 updates for Macintosh before the end of June. This document will be updated to specify the expected date of these updates once available.