US-CERT Cyber Security Alert SA09-051A -- Adobe Acrobat and Reader Vulnerability

National Cyber Alert System
Cyber Security Alert SA09-051A

Adobe Acrobat and Reader Vulnerability

Original release date: February 20, 2009
Last revised: March 18, 2009
Source: US-CERT

Systems Affected

Adobe Reader version 9 and earlier
Adobe Acrobat (Professional, 3D, and Standard) version 9 and earlier

Overview

Vulnerabilities in Adobe Reader and Acrobat may allow an attacker to take control of your computer. Adobe has released Security Advisory APSA09-01, which describes this issue.

Solution

Update
Adobe has released updates to address this issue. Users are encouraged to read Adobe Security Bulletins APSB09-03 and APSB09-04 and update vulnerable versions of Adobe Reader and Acrobat.

Disable JavaScript in Adobe Reader and Acrobat

Disabling Javascript may prevent exploitation of this vulnerability. Acrobat JavaScript can be disabled using the Preferences menu (Edit -> Preferences -> JavaScript and un-check Enable Acrobat JavaScript).

Disable the display of PDF documents in the web browser

Preventing PDF documents from opening inside a web browser will help mitigate this vulnerability.

To prevent PDF documents from automatically being opened in a web browser, do the following:

1. Open Adobe Acrobat Reader.
2. Open the Edit menu.
3. Choose the preferences option.
4. Choose the Internet section.
5. Un-check the "Display PDF in browser" check box.

Do not access PDF documents from untrusted sources

Do not open unfamiliar or unexpected PDF documents, particularly those hosted on web sites or delivered as email attachments. Please see Cyber Security Tip ST04-010.

Description

In Security Advisory APSA09-01, Adobe describes an issue that affects some versions of Adobe Reader and Acrobat. By convincing a user to visit a web site and opening a malicious PDF file in the user's browser, an attacker could execute code or cause a computer to crash. Note that web browsers may be configured to open PDF files automatically.

More technical information is available in US-CERT Technical Cyber Security Alert TA09-051A.

References

Adobe Security Bulletin APSB09-04 - <http://www.adobe.com/support/security/bulletins/apsb09-04.html>
Adobe Security Bulletin APSB09-03 - <http://www.adobe.com/support/security/bulletins/apsb09-03.html>
Adobe Security Advisory APSA09-01 - <http://www.adobe.com/support/security/advisories/apsa09-01.html>
Securing Your Web Browser - <http://www.us-cert.gov/reading_room/securing_browser/>
Vulnerability Note VU#905281 - <http://www.kb.cert.org/vuls/id/905281>

Feedback can be directed to US-CERT.

Produced 2009 by US-CERT, a government organization. Terms of use

Revision History

February 20, 2009: Initial release
March 11, 2009: Referenced new Adobe Security Bulletin
March 18, 2009: Added references to APSB09-04, fixed APSA/APSB text

Last updated March 18, 2009