2 Replies Latest reply on May 14, 2009 10:48 PM by secured2k

    Critical Acrobat JavaScript Flaw

    secured2k
      http://www.adobe.com/support/security/advisories/apsa09-02.html

      Buffer overflow issues in Adobe Reader and Acrobat
      Release date: May 1, 2009

      Vulnerability identifier: APSA09-02

      CVE number: CVE-2009-1492, CVE-2009-1493

      Platform: All Platforms

      Summary: A critical vulnerability has been identified in Adobe Reader 9.1 and Acrobat 9.1 and earlier versions. This vulnerability (CVE-2009-1492) would cause the application to crash and could potentially allow an attacker to take control of the affected system. A second vulnerability has also been reported that appears to affect Adobe Reader for Unix only (CVE-2009-1493).

      Adobe is planning to release product updates to Adobe Reader and Acrobat to resolve the relevant security issues. Adobe expects to make available Windows updates for Adobe Reader versions 9.X, 8.X, and 7.X and Acrobat versions 9.X, 8.X, and 7.X, Macintosh updates for Adobe Reader versions 9.X and 8.X and Acrobat versions 9.X and 8.X, as well as Adobe Reader for Unix versions 9.X and 8.X, by May 12th, 2009. The Adobe Reader for Unix updates will resolve both security issues. A security bulletin will be published at http://www.adobe.com/support/security as soon as product updates are available.

      In the meantime, to mitigate the issue disable JavaScript in Adobe Reader and Acrobat using the following instructions below:

      1. Launch Acrobat or Adobe Reader.
      2. Select Edit>Preferences
      3. Select the JavaScript Category
      4. Uncheck the ‘Enable Acrobat JavaScript’ option
      5. Click OK

      Adobe is currently not aware of any reports of exploits in the wild for these issues.

      Users may monitor the latest information on the Adobe Product Security Incident Response Team blog at the following URL: http://blogs.adobe.com/psirt or by subscribing to the RSS feed here: http://blogs.adobe.com/psirt/atom.xml.

      Affected software versions: Adobe Reader 9.1 and earlier versions
      Adobe Acrobat Standard, Pro, and Pro Extended 9.1 and earlier versions

      Severity rating: Adobe categorizes this as a critical issue and recommends that users disable JavaScript in Adobe Reader and Acrobat prior to the availability of Adobe product updates and exercise caution when opening files from untrusted sources.
        • 1. RE: Critical Acrobat JavaScript Flaw
          secured2k

           

          Adobe is currently not aware of any reports of exploits in the wild for these issues.



          As of today, security experts have found 'zero-day' exploits in use in the wild to compromise computer security.
          • 2. Update Now Available
            secured2k
            May 12, 2009

            An Update is now available for Adobe Acrobat versions 7, 8, and 9.

            http://www.adobe.com/support/security/bulletins/apsb09-06.html


            Details
            A critical vulnerability has been identified in Adobe Reader 9.1 and Acrobat 9.1 and earlier versions. This vulnerability (CVE-2009-1492) would cause the application to crash and could potentially allow an attacker to take control of the affected system. A second vulnerability has also been reported that appears to affect Adobe Reader for UNIX only (CVE-2009-1493). These issues are remotely exploitable.

            Adobe recommends users of Acrobat and Adobe Reader update their product installations to versions 9.1.1, 8.1.5, or 7.1.2 using the instructions above to protect themselves from potential vulnerabilities. Adobe expects to make available Adobe Reader 7 and Acrobat 7 updates for Macintosh before the end of June. This document will be updated to specify the expected date of these updates once available.