Vulnerabilities in Adobe Reader and Acrobat may allow an attacker to take control of your computer. Adobe has released Security Advisory APSA09-01, which describes this issue.
Update
Adobe has released updates to address this issue. Users are encouraged to read Adobe Security Bulletins APSB09-03 and APSB09-04 and update vulnerable versions of Adobe Reader and Acrobat.
Disable JavaScript in Adobe Reader and Acrobat
Disabling Javascript may prevent exploitation of this vulnerability. Acrobat JavaScript can be disabled using the Preferences menu (Edit -> Preferences -> JavaScript and un-check Enable Acrobat JavaScript).Disable the display of PDF documents in the web browser
Preventing PDF documents from opening inside a web browser will help mitigate this vulnerability.
To prevent PDF documents from automatically being opened in a web browser, do the following:
1. Open Adobe Acrobat Reader.
2. Open the Edit menu.
3. Choose the preferences option.
4. Choose the Internet section.
5. Un-check the "Display PDF in browser" check box.
Do not access PDF documents from untrusted sources
Do not open unfamiliar or unexpected PDF documents, particularly those hosted on web sites or delivered as email attachments. Please see Cyber Security Tip ST04-010.
In Security Advisory APSA09-01, Adobe describes an issue that affects some versions of Adobe Reader and Acrobat. By convincing a user to visit a web site and opening a malicious PDF file in the user's browser, an attacker could execute code or cause a computer to crash. Note that web browsers may be configured to open PDF files automatically.
More technical information is available in US-CERT Technical Cyber Security Alert TA09-051A.
- Adobe Security Bulletin APSB09-04 - <http://www.adobe.com/support/security/bulletins/apsb09-04.html>
- Adobe Security Bulletin APSB09-03 - <http://www.adobe.com/support/security/bulletins/apsb09-03.html>
- Adobe Security Advisory APSA09-01 - <http://www.adobe.com/support/security/advisories/apsa09-01.html>
- Securing Your Web Browser - <http://www.us-cert.gov/reading_room/securing_browser/>
- Vulnerability Note VU#905281 - <http://www.kb.cert.org/vuls/id/905281>
Feedback can be directed to US-CERT.
Produced 2009 by US-CERT, a government organization. Terms of use
February 20, 2009: Initial release
March 11, 2009: Referenced new Adobe Security Bulletin
March 18, 2009: Added references to APSB09-04, fixed APSA/APSB text