Accessibility

Security bulletin

Security Advisory for Adobe Reader and Acrobat

Release date: February 13, 2013

Last updated: February 20, 2013

Vulnerability identifier: APSA13-02

CVE number: CVE-2013-0640, CVE-2013-0641

Platform: All Platforms

Summary

Adobe has identified critical vulnerabilities (CVE-2013-0640, CVE-2013-0641) in Adobe Reader and Acrobat XI (11.0.01 and earlier) for Windows and Macintosh, X (10.1.5 and earlier) for Windows and Macintosh, 9.5.3 and earlier 9.x versions for Windows and Macintosh, and Adobe Reader 9.5.3 and earlier 9.x versions for Linux.  These vulnerabilities could cause the application to crash and potentially allow an attacker to take control of the affected system. 

Adobe is aware of reports that these vulnerabilities are being exploited in the wild in targeted attacks designed to trick Windows users into clicking on a malicious PDF file delivered in an email message.

Adobe recommends users update their product installations to the latest versions using the instructions provided in the "Solution" section in Security Bulletin APSB13-07.

Affected Software Versions

  • Adobe Reader XI (11.0.01 and earlier) for Windows and Macintosh
  • Adobe Reader X (10.1.5 and earlier) for Windows and Macintosh
  • Adobe Reader 9.5.3 and earlier 9.x versions for Windows, Macintosh and Linux
  • Adobe Acrobat XI (11.0.01 and earlier) for Windows and Macintosh
  • Adobe Acrobat X (10.1.5 and earlier) for Windows and Macintosh
  • Adobe Acrobat 9.5.3 and earlier 9.x versions for Windows and Macintosh

Details

Adobe has identified critical vulnerabilities (CVE-2013-0640, CVE-2013-0641) in Adobe Reader and Acrobat XI (11.0.01 and earlier) for Windows and Macintosh, X (10.1.5 and earlier) for Windows and Macintosh, 9.5.3 and earlier 9.x versions for Windows and Macintosh, and Adobe Reader 9.5.3 and earlier 9.x versions for Linux.  These vulnerabilities could cause the application to crash and potentially allow an attacker to take control of the affected system. 

Adobe is aware of reports that these vulnerabilities are being exploited in the wild in targeted attacks designed to trick Windows users into clicking on a malicious PDF file delivered in an email message.

Adobe recommends users update their product installations to the latest versions using the instructions provided in the "Solution" section in Security Bulletin APSB13-07.

Users may monitor the latest information on the Adobe Product Security Incident Response Team blog at http://blogs.adobe.com/psirt or by subscribing to the RSS feed at http://blogs.adobe.com/psirt/atom.xml.

Adobe actively shares information about this and other vulnerabilities with partners in the security community to enable them to quickly develop detection and quarantine methods to protect users until a patch is available.  As always, Adobe recommends that users follow security best practices by keeping their anti-malware software and definitions up to date.

Revisions

February 20, 2013: Advisory updated with information about the corresponding updates and a link to Security Bulletin APSB13-07.
February 16, 2013: Advisory updated with release schedule.
February 14, 2013: Advisory updated with information on Linux platform.
February 13, 2013: Advisory released.