*** From the Archives ***

This article is from December 17, 2009, and is no longer current.

Adobe Reader and Acrobat 9.2 Vulnerable to Attack

Theresa Stone

Adobe has confirmed a critical vulnerability in Adobe Reader and Acrobat 9.2 and earlier versions that could cause a crash and potentially allow an attacker to take control of the affected system. There are reports that this vulnerability is being actively exploited in the wild. Adobe recommends that you follow the steps in the “Solutions” section below until a patch is available. Adobe plans to make available an update to Adobe Reader and Acrobat by January 12, 2010 to resolve the issue.
Solution
Customers using Adobe Reader or Acrobat versions 9.2 or 8.1.7 can utilize the JavaScript Blacklist Framework to prevent this vulnerability. Please refer to the TechNote for more information.
Customers who are not able to utilize the JavaScript Blacklist functionality can mitigate the issue by disabling JavaScript in Adobe Reader and Acrobat using the instructions below:
1. Launch Acrobat or Adobe Reader.
2. Select Edit>Preferences
3. Select the JavaScript Category
4. Uncheck the ‘Enable Acrobat JavaScript’ option
5. Click OK
Customers using Microsoft DEP (“Data Execution Prevention”) functionality available in certain versions of Microsoft Windows are at reduced risk in the following configurations:
* All versions of Adobe Reader 9 running on Windows Vista SP1 or Windows 7
* Acrobat 9.2 running on Windows Vista SP1 or Windows 7
* Acrobat and Adobe Reader 9.2 running on Windows XP SP3
* Acrobat and Adobe Reader 8.1.7 running on Windows XP SP3, Windows Vista SP1, or Windows 7
With the DEP mitigation in place, the impact of this exploit has been reduced to a Denial of Service during our testing.
Severity rating
Adobe categorizes this as a critical issue and recommends that users follow the mitigation guidance above until a patch is available.
Details
Adobe has confirmed a critical vulnerability in Adobe Reader and Acrobat 9.2 and earlier versions that could cause a crash and potentially allow an attacker to take control of the affected system. There are reports that this vulnerability is being actively exploited in the wild. Adobe recommends customers follow the mitigation guidance above until a patch is available. Adobe plans to make available an update to Adobe Reader and Acrobat by January 12, 2010 to resolve the issue.
You can read the entire security advisory here.

Recommended For You

The Presentation Design Conference 2024

How to Make Plaid Flannel Patterns in Photoshop

Working in Microsoft Word

Working in Microsoft Word #2
Theresa Stone
>