Posted by PAW on 5/14/09 11:57am
Msg #288477
Adobe Reader and Acrobat Vulnerabilities Cyber Alert
National Cyber Alert System
Cyber Security Alert SA09-133B
Adobe Reader and Acrobat Vulnerabilities
Original release date: May 13, 2009
Last revised: --
Source: US-CERT
Systems Affected
* Adobe Reader versions 9.1, 8.1.4, 7.1.1 and earlier
* Adobe Acrobat Standard, Pro, and Pro Extended versions 9.1,
8.1.4, 7.1.1 and earlier
Overview
Vulnerabilities in Adobe Reader and Acrobat may allow an attacker
to take control of your computer. Adobe has released Security
Bulletin APSB09-06, which describes these issues.
Solution
Update
Adobe has released updates to address this issue. Users are
encouraged to read Adobe Security Bulletin APSB09-06 and update
vulnerable versions of Adobe Reader and Acrobat.
Disable JavaScript in Adobe Reader and Acrobat
Disabling JavaScript prevents these vulnerabilities from being
exploited and reduces attack surface. If this workaround is
applied to updated versions of the Adobe Reader and Acrobat, it
may protect against future vulnerabilities.
To disable JavaScript in Adobe Reader:
1. Open Adobe Acrobat Reader.
2. Open the Edit menu.
3. Choose the Preferences... option.
4. Choose the JavaScript section.
5. Uncheck the Enable Acrobat JavaScript check box.
Disabling JavaScript will not resolve the vulnerabilities, it
will only disable the vulnerable JavaScript component. When
JavaScript is disabled, Adobe Reader and Acrobat prompt to
re-enable JavaScript when opening a PDF that contains JavaScript.
Disable the display of PDF documents in the web browser
Preventing PDF documents from opening inside a web browser
reduces attack surface. If this workaround is applied to updated
versions of the Adobe Reader and Acrobat, it may protect against
future vulnerabilities. To prevent PDF documents from
automatically being opened in a web browser with Adobe Reader:
1. Open Adobe Acrobat Reader.
2. Open the Edit menu.
3. Choose the preferences option.
4. Choose the Internet section.
5. Un-check the "Display PDF in browser" check box.
Do not access PDF documents from untrusted sources
Do not open unfamiliar or unexpected PDF documents, particularly
those hosted on web sites or delivered as email
attachments. Please see Cyber Security Tip ST04-010.
Description
In Security Bulletin APSB09-06, Adobe announces updates for two
JavaScript vulnerabilities that affect Adobe Reader and Acrobat. By
convincing a user to visit a web site and opening a malicious Adobe
Portable Document Format (PDF) file, an attacker could execute code
and take control of your computer. Note that web browsers are
typically configured to open PDF files automatically.
More technical information is available in US-CERT Technical Cyber
Security Alert TA09-133B.
References
* US-CERT Technical Cyber Security Alert TA09-133B -
http://www.us-cert.gov/cas/techalerts/TA09-133B.html
* Cyber Security Tip ST04-010: Using Caution with Email Attachments -
http://www.us-cert.gov/cas/tips/ST04-010.html
* Adobe Security Bulletin APSB09-06 -
http://www.adobe.com/support/security/bulletins/apsb09-06.html
____________________________________________________________________
The most recent version of this document can be found at:
http://www.us-cert.gov/cas/alerts/SA09-133B.html
____________________________________________________________________
Feedback can be directed to US-CERT Technical Staff. Please send
email to [e-mail address] with "SA09-133B Feedback VU#970180" in
the subject.
____________________________________________________________________
For instructions on subscribing to or unsubscribing from this
mailing list, visit http://www.us-cert.gov/cas/signup.html.
____________________________________________________________________
Produced 2009 by US-CERT, a government organization.
|
Reply by NC_Notary on 5/14/09 1:04pm
Msg #288494
Thanks for the information. I currently have Adobe 9.0.0 and did not see a specific patch update for this version. I went to use the patch for 9.1.1 and it would not allow me to do that. Does this mean the version I have is OK or should I download the latest full version?
Also, by disabling the Java-script, what does that do? Will I notice anything different when I am using Adobe?
Thank again
|
Reply by MW/VA on 5/14/09 1:10pm
Msg #288497
Thanks for the alert, Paul. There is something strange going on. I got an updates alert from Adobe, but the update wouldn't download.
I have the same question re disabling JavaScript. Will it change the function?
|
Reply by Linda Spanski on 5/14/09 1:05pm
Msg #288495
Thanks for posting this! n/m
|
Reply by PAW on 5/14/09 1:38pm
Msg #288504
Everyone should be using Reader 9.1.1
Previous versions, including v8.x, has the vulnerability. Open the Reader, click on the "Help" menu item and select "Check for updates..." It should allow you to upgrade to 9.1.1 which contains the fix.
The vulnerability in Adobe Reader 9 and previous versions that is affecting all platforms is rated critical. The vulnerability can be used to crash an application and allow an attacker to take control of the computer system.
There is another recommendation (by US-CERT)which is helpful for users of other operating systems or Windows users who do not like the idea of replacing a DLL on the computer system:
* Disabling Javascript in Adobe Reader by going to Edit > Preferences > JavaScript and unchecking enable Acrobat JavaScript.
* Preventing IE from automatically displaying PDFs. This can be done via a Registry tweak described on the US-CERT notification.
* Disable rendering of PDFs within web pages. This can be done from the Edit-Preferences menu in Adobe Reader.
It is recommended to act swiftly to prevent that the vulnerability can get exploited on the computer system. Users of third party PDF software programs are not affected by the vulnerability.
|
Reply by Susan Fischer on 5/14/09 2:07pm
Msg #288510
Thanks, Paul. What would we do without you? Oh, perish
the thought. The update was easy peasy.
|
Reply by Richard Ingram on 5/14/09 2:50pm
Msg #288519
Re: Everyone should be using Reader 9.1.1
Thanks Paul,
Your are extra special and we all owe you a sincere debt of gratitude. Your knowledge and willingness to share is a blessing to all.
|
Reply by jojo_MN on 5/14/09 4:02pm
Msg #288522
Re: Everyone should be using Reader 9.1.1
Thanks, Paul. I just updated, but it only updated to 9.1. ??
You're the greatest!
|
Reply by NC_Notary on 5/14/09 4:25pm
Msg #288524
I updated to 9.1 and then did the update for 9.1.1 separate n/m
|
Reply by JanetK_CA on 5/14/09 5:40pm
Msg #288529
Adding my thanks, PAW & to NC_Notary, too!! Timely advice! n/m
|
Reply by MW/VA on 5/14/09 8:41pm
Msg #288542
Re: Everyone should be using Reader 9.1.1
Well, I had a lot of problems with 9.1 and went back to an older version. What is the sudden host of problems with Adobe Reader anyway?
|
Reply by titleme2nc on 5/15/09 12:02am
Msg #288551
Re: Everyone should be using Reader 9.1.1
Paw, I have been avoiding doing the Upgrade. And due to the Respect that I and so many others have for you on this site, I am more than willing to follow suit.
But, when I checked for upgrades, I could only find upgrades from 6.0.2 thru 7.0
Can you tell me what I am missing?
I have disabled the javascript and PDF web displayer in the version that I am using.
It seems that 6.0 has been working so far, but should I upgrade to the 7.0 then upgrade again to 9.1.1?
And as others have said; "Your Da Man" Thank you.
|
Reply by PAW on 5/15/09 6:43am
Msg #288563
Re: Everyone should be using Reader 9.1.1
Being that far behind (i.e., unsupported versions), I suggest completely removing the Reader from your system and installing the latest version as if it were new. After installing version 9.1.0, do the update to apply the patch.
|
Reply by Teddog/CO on 5/14/09 7:07pm
Msg #288534
Thanks for the heads up PAW :) n/m
|
