Adobe Reader and Acrobat JavaScript Memory Corruption Vulnerabilities
RISK: Medium Risk
Two vulnerabilities have been identified in Adobe Reader and Acrobat, which could be exploited by attackers to compromise a vulnerable system.
1. Due to a memory corruption error when processing specially crafted data passed to the "getAnnots()" JavaScript method, which could be exploited by attackers to crash an affected application or execute arbitrary code by tricking a user into opening a malicious PDF file.
2. Due to a memory corruption error when processing specially crafted data passed to the "customDictionaryOpen()" JavaScript method, which could be exploited by attackers to crash an affected application or execute arbitrary code by tricking a user into opening a malicious PDF file.
Impact
- Remote Code Execution
System / Technologies affected
- Adobe Reader version 9.1 and prior
- Adobe Reader version 8.1.4 and prior
- Adobe Reader version 7.1.1 and prior
- Adobe Acrobat version 9.1 and prior
- Adobe Acrobat version 8.1.4 and prior
- Adobe Acrobat version 7.1.1 and prior
Solutions
Before installation of the software, please visit the software manufacturer web-site for more details.
Upgrade to Adobe Acrobat and Reader versions 9.1.1, 8.1.5, or 7.1.2 :
http://www.adobe.com/support/security/bulletins/apsb09-06.htmlAdobe Acrobat and Reader 7 updates for Macintosh will be available before the end of June.
Workarounds: - Disable JavaScript in Adobe Reader and Acrobat.
- Do not open untrusted PDF documents.
Vulnerability Identifier
Source
Related Link
- http://www.vupen.com/english/advisories/2009/1189
- http://secunia.com/advisories/34924/
- http://blogs.adobe.com/psirt/2009/04/update_on_adobe_reader_issue.html
- http://www.adobe.com/support/security/bulletins/apsb09-06.html
- http://www.us-cert.gov/cas/techalerts/TA09-133B.html
- http://www.vupen.com/english/advisories/2009/1317
- http://secunia.com/advisories/35096/
- http://sunsolve.sun.com/search/document.do?assetkey=1-66-259028-1
Share with