Threat Level: green Handler on Duty: Russ McRee

SANS ISC: InfoSec Handlers Diary Blog - Adobe Reader/Acrobat Critical Vulnerability InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Adobe Reader/Acrobat Critical Vulnerability

Published: 2009-05-04
Last Updated: 2009-05-04 17:43:16 UTC
by Tom Liston (Version: 1)
1 comment(s)

A critical vulnerability has been discovered in the JavaScript handling within Adobe Reader and Acrobat versions 9.1 and earlier.  According to the announcement, Adobe expects to make available Windows updates for Adobe Reader versions 9.X, 8.X, and 7.X and Acrobat versions 9.X, 8.X, and 7.X, Macintosh updates for Adobe Reader versions 9.X and 8.X and Acrobat versions 9.X and 8.X, as well as Adobe Reader for Unix versions 9.X and 8.X, by May 12th, 2009.  Additionally, there is a second vulnerability specific to Adobe Reader for Unix that will be resolved by this update as well.

In the meantime, you can perform mitigation steps by disabling JavaScript in Reader and Acrobat:

  1. Launch Acrobat or Adobe Reader.
  2. Select Edit>Preferences
  3. Select the JavaScript Category
  4. Uncheck the ‘Enable Acrobat JavaScript’ option
  5. Click OK

Ref:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=2009-1492
http://cve.mitre.org/cgi-bin/cvename.cgi?name=2009-1493

Remember back when we used to tell people to PDF documents because it was safer than dealing with MS Office?

(Thanks to "roseman" for the tip...)

Tom Liston - InGuardians - Handler on Duty
 

1 comment(s)
Diary Archives