Limited to 30 last days
Critical Adobe Security bulletin - Security Updates available for Adobe Reader and Acrobat
03/22/09 21:12, by Brett A. Scudder, Categories: The ThreatTrix - IT Security Alerts and Advisories, Adobe's Alerts and Advisories , Tags: acrobat, adobe, reader, security bulletin, vulnerability Link: http://www.adobe.com/support/security/bulletins/apsb09-04.html
Security bulletin
Security Updates available for Adobe Reader and Acrobat
Release date: March 18, 2009
Vulnerability identifier: APSB09-04
CVE number: CVE-2009-0658, CVE-2009-0927
Platform: Windows and Macintosh
Summary
Critical vulnerabilities have been identified in Adobe Reader 9 and Acrobat 9
and earlier versions. These vulnerabilities would cause the application to crash
and could potentially allow an attacker to take control of the affected system.
There are reports that one of these issues is being exploited
(CVE-2009-0658).
Adobe recommends users of Adobe Reader and Acrobat 9 update to Adobe Reader
9.1 and Acrobat 9.1. Adobe recommends users of Acrobat 8 update to Acrobat
8.1.4, and users of Acrobat 7 update to Acrobat 7.1.1. For Adobe Reader users
who can’t update to Adobe Reader 9.1, Adobe has provided the Adobe Reader 8.1.4
and Adobe Reader 7.1.1 updates.
These updates resolve the issue from Security Advisory APSA09-01 and Security Bulletin APSB09-03. Users who
have previously updated to Adobe Reader 9.1 and Acrobat 9.1 for Windows and
Macintosh need not take any action. Adobe now plans to make available Adobe
Reader 9.1 and Adobe Reader 8.1.4 for Unix by March 24.
Affected software versions
Adobe Reader 9 and earlier versions
Adobe Acrobat 9 Standard, Pro, and Pro
Extended and earlier versions
Solution
Adobe Reader
Adobe recommends Adobe Reader users update to Adobe Reader 9.1, available
here:
http://get.adobe.com/reader/
Users with Adobe Reader 7.0 through 8.1.3, who can’t update to Adobe Reader
9.1, should update to Adobe Reader 8.1.4 or Adobe Reader 7.1.1, available from
one of the following links:
http://www.adobe.com/support/downloads/product.jsp?product=10&platform=Windows
http://www.adobe.com/support/downloads/product.jsp?product=10&platform=Macintosh
Acrobat 9
Adobe recommends Acrobat 9 Standard and Acrobat 9 Pro users on Windows update
to Acrobat 9.1, available at the following URLs:
http://www.adobe.com/support/downloads/detail.jsp?ftpID=4375
http://www.adobe.com/support/downloads/detail.jsp?ftpID=4382
Adobe recommends Acrobat 9 Pro Extended users on Windows update to Acrobat
9.1, available here:
http://www.adobe.com/support/downloads/detail.jsp?ftpID=4381
Adobe recommends Acrobat 9 Pro users on Macintosh update to Acrobat 9.1,
available here:
http://www.adobe.com/support/downloads/detail.jsp?ftpID=4374
Acrobat 8
Adobe recommends Acrobat 8 users on Windows update to Acrobat 8.1.4,
available here:
http://www.adobe.com/support/downloads/product.jsp?product=1&platform=Windows
Adobe recommends Acrobat 8 users on Macintosh update to Acrobat 8.1.4,
available here:
http://www.adobe.com/support/downloads/product.jsp?product=1&platform=Macintosh
Adobe recommends Acrobat 3D Version 8 users on Windows update to Acrobat 3D
Version 8.1.4, available here:
http://www.adobe.com/support/downloads/product.jsp?product=112&platform=Windows
Acrobat 7
Adobe recommends Acrobat 7 users on Windows update to Acrobat 7.1.1,
available here:
http://www.adobe.com/support/downloads/product.jsp?product=1&platform=Windows
Adobe recommends Acrobat 7 users on Macintosh update to Acrobat 7.1.1,
available here:
http://www.adobe.com/support/downloads/product.jsp?product=1&platform=Macintosh
Adobe recommends Acrobat 3D Version 7 users on Windows update to Acrobat 3D
Version 7.1.1, available here:
http://www.adobe.com/support/downloads/product.jsp?product=112&platform=Windows
Severity rating
Adobe categorizes this as a critical update
and recommends that users apply the update for their product installations.
Details
Critical vulnerabilities have been identified in Adobe Reader and Acrobat 9
and earlier versions. These vulnerabilities would cause the application to crash
and could potentially allow an attacker to take control of the affected
system.
Adobe recommends users of Acrobat and Adobe Reader update their product
installations to versions 9.1, 8.1.4, or 7.1.1 using the instructions above to
protect themselves from potential vulnerabilities.
These updates resolve the JBIG2 filter buffer overflow issue from Security Advisory APSA09-01 and Security Bulletin APSB09-03
(CVE-2009-0658)
Note: there are reports that this issue is being
exploited
The Adobe Reader and Acrobat 9.1 and 7.1.1 updates resolve an input
validation issue in a JavaScript method that could potentially lead to remote
code execution. This issue has already been resolved in Adobe Reader 8.1.3 and
Acrobat 8.1.3. (CVE-2009-0927)
The Adobe Reader 7.1.1 and Acrobat 7.1.1 updates resolve issues previously
addressed in Adobe Reader and Acrobat 8.1.3 and later, and Adobe Reader and
Acrobat 9 and later. (CVE-2008-4814, CVE-2008-4813, CVE-2008-2549)
Users may also monitor the latest information on the Adobe Product Security
Incident Response Team blog at the following URL: http://blogs.adobe.com/psirt or by
subscribing to the RSS feed here: http://blogs.adobe.com/psirt/atom.xml.
Acknowledgments
Adobe would like to thank the following individuals and organizations for
reporting the relevant issues and for working with Adobe to help protect our
customers’ security:
- Tenable Network Security reported through TippingPoint’s Zero Day Initiative ( CVE-2009-0927)
- Thomas Garnier of SkyRecon Systems (CVE-2008-4814)
- Peter Vreudegnhil reported through TippingPoint’s Zero Day Initiative
(CVE-2008-4813)
XML Feeds
