Buffer overflow issues in Adobe Reader and Acrobat

Discussion in 'other security issues & news' started by NICK ADSL UK, May 4, 2009.

Thread Status:
Not open for further replies.
  1. NICK ADSL UK

    NICK ADSL UK Administrator

    Joined:
    May 13, 2003
    Posts:
    9,217
    Location:
    UK
    SummaryA critical vulnerability has been identified in Adobe Reader 9.1 and Acrobat 9.1 and earlier versions. This vulnerability (CVE-2009-1492) would cause the application to crash and could potentially allow an attacker to take control of the affected system. A second vulnerability has also been reported that appears to affect Adobe Reader for Unix only (CVE-2009-1493).

    Adobe is planning to release product updates to Adobe Reader and Acrobat to resolve the relevant security issues. Adobe expects to make available Windows updates for Adobe Reader versions 9.X, 8.X, and 7.X and Acrobat versions 9.X, 8.X, and 7.X, Macintosh updates for Adobe Reader versions 9.X and 8.X and Acrobat versions 9.X and 8.X, as well as Adobe Reader for Unix versions 9.X and 8.X, by May 12th, 2009. The Adobe Reader for Unix updates will resolve both security issues. A security bulletin will be published at http://www.adobe.com/support/security as soon as product updates are available.

    In the meantime, to mitigate the issue disable JavaScript in Adobe Reader and Acrobat using the following instructions below:

    1. Launch Acrobat or Adobe Reader.
    2. Select Edit>Preferences
    3. Select the JavaScript Category
    4. Uncheck the ‘Enable Acrobat JavaScript’ option
    5. Click OK

    http://www.adobe.com/support/security/advisories/apsa09-02.html
     
  2. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    57,727
    Location:
    Texas
    Story
     
  3. PsychEroc

    PsychEroc Registered Member

    Joined:
    May 3, 2009
    Posts:
    14
  4. prius04

    prius04 Registered Member

    Joined:
    Apr 14, 2007
    Posts:
    1,238
    Location:
    USA
    If you're using the free version (Adobe Reader), why not simply get rid of it and use an alternative, as the article suggests? I blasted all traces of AR off my systems many, many months ago and have never regretted doing so.

    Currently, I'm using PDF-XChange Viewer (of course there are others available):
    http://www.docu-track.com/downloads/users

    Here's their Secunia track record thus far:
    http://secunia.com/advisories/product/18144/
     
  5. innerpeace

    innerpeace Registered Member

    Joined:
    Jan 15, 2007
    Posts:
    2,095
    Location:
    Mountaineer Country
    Would a home user typically need the javascript enabled in Adobe Reader? What added benefits or features would javascript provide in embedded in a PDF?

    FWIW, I've been using Foxit Reader for a while so my question above is just out of curiosity.
     
  6. FanJ

    FanJ Updates Team

    Joined:
    Feb 9, 2002
    Posts:
    2,564
Loading...
Thread Status:
Not open for further replies.