Adobe Reader/Acrobat Critical Vulnerability

Published: 2009-05-04
Last Updated: 2009-05-04 17:43:16 UTC
by Tom Liston (Version: 1)
1 comment(s)

A critical vulnerability has been discovered in the JavaScript handling within Adobe Reader and Acrobat versions 9.1 and earlier.  According to the announcement, Adobe expects to make available Windows updates for Adobe Reader versions 9.X, 8.X, and 7.X and Acrobat versions 9.X, 8.X, and 7.X, Macintosh updates for Adobe Reader versions 9.X and 8.X and Acrobat versions 9.X and 8.X, as well as Adobe Reader for Unix versions 9.X and 8.X, by May 12th, 2009.  Additionally, there is a second vulnerability specific to Adobe Reader for Unix that will be resolved by this update as well.

In the meantime, you can perform mitigation steps by disabling JavaScript in Reader and Acrobat:

  1. Launch Acrobat or Adobe Reader.
  2. Select Edit>Preferences
  3. Select the JavaScript Category
  4. Uncheck the ‘Enable Acrobat JavaScript’ option
  5. Click OK

Ref:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=2009-1492
http://cve.mitre.org/cgi-bin/cvename.cgi?name=2009-1493

Remember back when we used to tell people to PDF documents because it was safer than dealing with MS Office?

(Thanks to "roseman" for the tip...)

Tom Liston - InGuardians - Handler on Duty
 

1 comment(s)

Comments

What is it about Adobe and Patch Tuesday? Do not the majority of people who use Adobe Reader and Acrobat run them on Windows? Does Adobe not know when Patch Tuesday is? Does it not occur to Adobe that system administrators and workstation automation deployment folks are a limited resources. That clone works well in prototype OO languages, but doesn't work so well on people. This is the second time in a row that Adobe has decided to resolve a zero-day by squaring my stress level on the second Tuesday of the month. Thanks, Adobe!

Diary Archives