Accessibility

Security bulletin

Security Advisory for Adobe Reader and Acrobat

Release date: December 15, 2009

Last updated: December 15, 2009

Vulnerability identifier: APSA09-07

CVE number: CVE-2009-4324

Platform: All Platforms

Summary

Adobe has confirmed a critical vulnerability in Adobe Reader and Acrobat 9.2 and earlier versions that could cause a crash and potentially allow an attacker to take control of the affected system. There are reports that this vulnerability is being actively exploited in the wild. Adobe recommends customers follow the mitigation guidance below until a patch is available.

Adobe plans to make available an update to Adobe Reader and Acrobat by January 12, 2010 to resolve the issue.

Affected software versions

Adobe Reader 9.2 and earlier versions for Windows, Macintosh, and UNIX
Adobe Acrobat 9.2 and earlier versions for Windows and Macintosh

Solution

Customers using Adobe Reader or Acrobat versions 9.2 or 8.1.7 can utilize the JavaScript Blacklist Framework to prevent this vulnerability. Please refer to the TechNote for more information.

Customers who are not able to utilize the JavaScript Blacklist functionality can mitigate the issue by disabling JavaScript in Adobe Reader and Acrobat using the instructions below:
1. Launch Acrobat or Adobe Reader.
2. Select Edit>Preferences
3. Select the JavaScript Category
4. Uncheck the 'Enable Acrobat JavaScript' option
5. Click OK

Customers using Microsoft DEP ("Data Execution Prevention") functionality available in certain versions of Microsoft Windows are at reduced risk in the following configurations:

  • All versions of Adobe Reader 9 running on Windows Vista SP1 or Windows 7
  • Acrobat 9.2 running on Windows Vista SP1 or Windows 7
  • Acrobat and Adobe Reader 9.2 running on Windows XP SP3
  • Acrobat and Adobe Reader 8.1.7 running on Windows XP SP3, Windows Vista SP1, or Windows 7

With the DEP mitigation in place, the impact of this exploit has been reduced to a Denial of Service during our testing.

Severity rating

Adobe categorizes this as a critical issue and recommends that users follow the mitigation guidance above until a patch is available.

Details

Adobe has confirmed a critical vulnerability in Adobe Reader and Acrobat 9.2 and earlier versions that could cause a crash and potentially allow an attacker to take control of the affected system. There are reports that this vulnerability is being actively exploited in the wild. Adobe recommends customers follow the mitigation guidance above until a patch is available. Adobe plans to make available an update to Adobe Reader and Acrobat by January 12, 2010 to resolve the issue.

Adobe actively shares information about this and other vulnerabilities with partners in the security community to enable them to quickly develop detection and quarantine methods to protect users until a patch is available. Adobe recommends that you keep your anti-malware software and definitions up-to-date and monitor releases from your vendor about this issue.

Revisions

December 15, 2009 - Planned release date for Adobe Reader and Acrobat update to resolve issue added
December 15, 2009 - Bulletin first created