Gladiator Research and Security - » Adobe Releases Patch for Critical Acrobat Vulnerability

Links

Other Posts: SonicWALL SSL-VPN 200 Patch Released; May Microsoft Patch Tuesday

Adobe Releases Patch for Critical Acrobat Vulnerability

Posted on May 13th, 2009 by Ryan Spanier

GSA Reference Number: AD090513-01

Simply Put: Adobe has released a patch for the critical vulnerability affecting its Acrobat products. This vulnerability was previously discussed in Gladiator Advisory AD090430-01 on April 30th, stating that all versions of Adobe Reader and Adobe Acrobat, on all operating systems, are affected by a Critical JavaScript Vulnerability.

Vulnerability Details: The attack occurs when a user opens a malicious PDF document in either Adobe Acrobat or Adobe Reader. The PDF contains malicious JavaScript code that can allow attackers to possibly execute arbitrary code. Currently, JavaScript methods customDictionaryOpen() and getAnnots() do not safely handle specially-crafted arguments and can be used to execute arbitrary code on the machine.

Countermeasures: Gladiator recommends that users install the patch from Adobe as soon as possible to mitigate the risks from this vulnerability. The patch is available in the Adobe Security Bulletin below.

Reference Links:

Adobe Security Bulletin (http://www.adobe.com/support/security/bulletins/apsb09-06.html)
Previous Adobe Security Advisory (http://www.adobe.com/support/security/advisories/apsa09-02.html)
Adobe PSIRT Blog (http://blogs.adobe.com/psirt/)
SANS ISC Diary Entry (http://isc.sans.org/diary.html?storyid=6385)

Tags: Acrobat, Adobe, javascript, PDF, Reader, Remote Code Execution

Reader Comments

Sorry, comments are closed.