Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: Adobe Reader/Acrobat Critical Vulnerability SANS ISC InfoSec Forums

Watch ISC TV. Great for NOCs, SOCs and Living Rooms:

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Adobe Reader/Acrobat Critical Vulnerability

A critical vulnerability has been discovered in the JavaScript handling within Adobe Reader and Acrobat versions 9.1 and earlier.  According to the announcement, Adobe expects to make available Windows updates for Adobe Reader versions 9.X, 8.X, and 7.X and Acrobat versions 9.X, 8.X, and 7.X, Macintosh updates for Adobe Reader versions 9.X and 8.X and Acrobat versions 9.X and 8.X, as well as Adobe Reader for Unix versions 9.X and 8.X, by May 12th, 2009.  Additionally, there is a second vulnerability specific to Adobe Reader for Unix that will be resolved by this update as well.

In the meantime, you can perform mitigation steps by disabling JavaScript in Reader and Acrobat:

  1. Launch Acrobat or Adobe Reader.
  2. Select Edit>Preferences
  3. Select the JavaScript Category
  4. Uncheck the ‘Enable Acrobat JavaScript’ option
  5. Click OK


Remember back when we used to tell people to PDF documents because it was safer than dealing with MS Office?

(Thanks to "roseman" for the tip...)

Tom Liston - InGuardians - Handler on Duty


160 Posts
May 4th 2009
What is it about Adobe and Patch Tuesday? Do not the majority of people who use Adobe Reader and Acrobat run them on Windows? Does Adobe not know when Patch Tuesday is? Does it not occur to Adobe that system administrators and workstation automation deployment folks are a limited resources. That clone works well in prototype OO languages, but doesn't work so well on people. This is the second time in a row that Adobe has decided to resolve a zero-day by squaring my stress level on the second Tuesday of the month. Thanks, Adobe!

Sign Up for Free or Log In to start participating in the conversation!