Skip to main content

Adobe Reader and Acrobat JavaScript Memory Corruption Vulnerabilities

Last Update Date: 28 Jan 2011 Release Date: 29 Apr 2009 5723 Views

RISK: Medium Risk

Two vulnerabilities have been identified in Adobe Reader and Acrobat, which could be exploited by attackers to compromise a vulnerable system.

1. Due to a memory corruption error when processing specially crafted data passed to the "getAnnots()" JavaScript method, which could be exploited by attackers to crash an affected application or execute arbitrary code by tricking a user into opening a malicious PDF file.

2. Due to a memory corruption error when processing specially crafted data passed to the "customDictionaryOpen()" JavaScript method, which could be exploited by attackers to crash an affected application or execute arbitrary code by tricking a user into opening a malicious PDF file.


Impact

  • Remote Code Execution

System / Technologies affected

  • Adobe Reader version 9.1 and prior
  • Adobe Reader version 8.1.4 and prior
  • Adobe Reader version 7.1.1 and prior
  • Adobe Acrobat version 9.1 and prior
  • Adobe Acrobat version 8.1.4 and prior
  • Adobe Acrobat version 7.1.1 and prior

Solutions

Before installation of the software, please visit the software manufacturer web-site for more details.

  • Upgrade to Adobe Acrobat and Reader versions 9.1.1, 8.1.5, or 7.1.2
  • :
    http://www.adobe.com/support/security/bulletins/apsb09-06.html

    Adobe Acrobat and Reader 7 updates for Macintosh will be available before the end of June.

  • Workarounds:
  • - Disable JavaScript in Adobe Reader and Acrobat.
    - Do not open untrusted PDF documents.


    Vulnerability Identifier


    Source


    Related Link