Friday, February 20, 2009

Adobe Acrobat and Reader Vulnerability

Since so many of us use Adobe Acrobat or Adobe Reader, you should read this security bulletin from the National Cyber Alert System (http://www.us-cert.gov/).

=================================

National Cyber Alert System

Cyber Security Alert SA09-051A

Adobe Acrobat and Reader Vulnerability

Original release date: February 20, 2009 Last revised: --

Source: US-CERT

Systems Affected

Adobe Reader version 9 and earlier

Adobe Acrobat (Professional, 3D, and Standard) version 9 and earlier

Overview

Vulnerabilities in Adobe Reader and Acrobat may allow an attacker to take control of your computer. Adobe has released Security Bulletin APSB09-01, which describes this issue.

Solution

Disable JavaScript in Adobe Reader and Acrobat

Disabling Javascript may prevent exploitation of this vulnerability. Acrobat JavaScript can be disabled using the Preferences menu (Edit -> Preferences -> JavaScript and un-check Enable Acrobat JavaScript).

Disable the display of PDF documents in the web browser

Preventing PDF documents from opening inside a web browser will help mitigate this vulnerability.

To prevent PDF documents from automatically being opened in a web browser, do the following:

1. Open Adobe Acrobat Reader.

2. Open the Edit menu.

3. Choose the preferences option.

4. Choose the Internet section.

5. Un-check the "Display PDF in browser" check box.

Do not access PDF documents from untrusted sources

Do not open unfamiliar or unexpected PDF documents, particularly those hosted on web sites or delivered as email attachments. Please see Cyber Security Tip ST04-010.

Description

In Security Bulletin APSB09-01, Adobe describes an issue that affects some versions of Adobe Reader and Acrobat. By convincing a user to visit a web site and opening a malicious PDF file in the user's browser, an attacker could execute code or cause a computer to crash. Note that web browsers may be configured to open PDF files automatically.

More technical information is available in US-CERT Technical

Cyber Security Alert TA09-051A.

References

Adobe Security Bulletin apsa09-01 - <http://www.adobe.com/support/security/advisories/apsa09-01.html>

Securing Your Web Browser - <http://www.us-cert.gov/reading_room/securing_browser/>

Vulnerability Note VU#905281 - <http://www.kb.cert.org/vuls/id/905281>