US-CERT Cyber Security Alert SA09-161A -- Adobe Acrobat and Reader Vulnerabilities

National Cyber Alert System
Cyber Security Alert SA09-161A

Adobe Acrobat and Reader Vulnerabilities

Original release date: June 10, 2009
Last revised: --
Source: US-CERT

Systems Affected

Adobe Reader versions 9.1.1 and earlier
Adobe Acrobat (Standard, Professional, and 3D) versions 9.1.1 and earlier

Overview

Vulnerabilities in Adobe Reader and Acrobat may allow an attacker to take control of your computer. Adobe has released Security Bulletin APSB09-07, which describes the issues.

Solution

Update

Adobe has released updates to address this issue. Users are encouraged to read Adobe Security Bulletin APSB09-07 and update vulnerable versions of Adobe Reader and Acrobat.

Disable JavaScript in Adobe Reader and Acrobat

Disabling Javascript may prevent some exploits from resulting in code execution. Acrobat JavaScript can be disabled using the Preferences menu:

Open the Edit menu.

Select Preferences.

Choose JavaScript.

Un-check Enable Acrobat JavaScript.

Disable the display of PDF documents in the web browser

Preventing PDF documents from opening inside a web browser will partially mitigate this vulnerability. This workaround may also mitigate future vulnerabilities.

To prevent PDF documents from automatically being opened in a web browser, do the following:

Open Adobe Acrobat Reader.

Open the Edit menu.

Choose the Preferences option.

Choose the Internet section.

Un-check the Display PDF in browser check box.

Do not access PDF documents from untrusted sources

Do not open unfamiliar or unexpected PDF documents, particularly those hosted on websites or delivered as email attachments. See Cyber Security Tip ST04-010.

Description

In Security Bulletin APSB09-07, Adobe describes issues that affect some versions of Adobe Reader and Acrobat. By convincing a user to visit a website and opening a malicious PDF file in the user's browser, an attacker could execute code or cause a computer to crash. Note that web browsers may be configured to open PDF files automatically.

More technical information is available in US-CERT Technical Cyber Security Alert TA09-161A.

References

US-CERT Technical Cyber Security Alert TA09-161A - <http://www.us-cert.gov/cas/techalerts/TA09-161A.html>
Adobe Security Bulletin APSB09-07 - <http://www.adobe.com/support/security/bulletins/apsb09-07.html>
Cyber Security Tip ST04-010: Using Caution with Email Attachments - <http://www.us-cert.gov/cas/tips/ST04-010.html>

Feedback can be directed to US-CERT.

Produced 2009 by US-CERT, a government organization. Terms of use

Revision History

June 10, 2009: Initial release

Last updated June 10, 2009