Security Alerts
March 5, 2009
Adobe Acrobat and Reader JavaScript Vulnerabilities
Vulnerability Identifiers: APSB08-19, APSB08-13, APSA09-01; all platforms (Windows, MAC)
There are two Adobe Acrobat security vulnerabilities which have recently been seen on Stanford machines. These involve a series of critical JavaScript vulnerabilities (APSB08-19, APSB08-13). They affect Acrobat and Reader versions 7 and 8, but not version 9. Updating to versions 7.1.0, 8.1.3, or 9 will patch these vulnerabilities. Security updates for these are now available as BigFix fixlets (Windows only) for console operators to manually deploy. Updates are also directly available from Adobe. Acrobat versions 8.X may require four maximum layered updates, depending on which 8.X version you have : update from Acrobat 8.0 to Acrobat 8.1, 8.1 to 8.1.1, 8.1.1 to 8.1.2, then 8.1.2 to 8.1.3. The Information Security Office recommends system administrators and BigFix Console Operators check to see if they have machines which are vulnerable and apply the updates on applicable systems, either directly from Adobe or as a BigFix fixlet(s).
Additionally On February 19th 2009, Adobe identified another critical vulnerability in Adobe Reader 9 and Acrobat 9 and earlier versions of these products (APSA09-01). This vulnerability could cause the application to crash and potentially allow an attacker to take control of the affected system. Adobe has announced plans to release a patch update by March 11, 2009 for version 9, and a followup round for versions 7/8 by March 18th, 2009. In the mean time, many sources including Adobe recommend users disable support for JavaScript in Adobe Reader/Acrobat to prevent exploitation. While this may prevent many of the exploits from successfully executing arbitrary code, it does not protect against the vulnerability itself. Working exploits have been crafted without the use of JavaScript ( http://secunia.com/blog/44/ ). Users of Adobe Reader/Acrobat should be advised to exercise caution when deciding which PDF files to open regardless whether JavaScript was disabled or not. System administrators and BigFix Console Operators should watch for the patch from Adobe and apply the update on applicable systems.
**** SU BigFix Fixlets Available to Patch for APSB08-19 & APSB08-13 *****
Acrobat Version 7 BigFix Fixlets:
9071008 Adobe Acrobat 7.1.0 Available - Update to Acrobat 7.1.0 (Professional Edition)
9071009 Adobe Acrobat 7.1.0 Available - Update to Acrobat 7.1.0 (Standard Edition)
Reader 7 BigFix Fixlets:
8071001 Adobe Reader 7.1.0 Available - Update to Reader 7.1.0
Acrobat 8 BigFix Fixlets:
9081002 Adobe Acrobat 8.1 Available - Update from Adobe Acrobat 8.0
9081001 Adobe Acrobat 8.1.1 Available - Update from Adobe Acrobat 8.1.0
9081003 Adobe Acrobat 8.1.2 Available - Update from Adobe Acrobat 8.1.1
9081007 Adobe Acrobat 8.1.3 Available - Update from Adobe Acrobat 8.1.2
Reader 8 BigFix Fixlet:
8081002 Adobe Reader 8.1.3 - Update to Reader 8.1.3
**** Adobe Security Update Sites to Patch for APSB08-19 & APSB08-13 *******
APSB08-13 Security Updates available for Adobe Reader and Acrobat 7 and 8
(all O/S platforms, affected versions: 8.1.2 and earlier 7.X / 8.X )
http://www.adobe.com/support/security/bulletins/apsb08-13.html
APSB08-19 Security Update for Adobe Reader 8 and Acrobat 8
(all O/S platforms, affected versions: 8.1.1 and earlier 8.X)
http://www.adobe.com/support/security/bulletins/apsb08-19.html