|
|
|
Adobe Moves to Fix Reported Vulnerabilities in Acrobat and Reader
By: Larry Seltzer
2009-04-29
Article Rating: / 2
There are 1 user comments on this Network Security & Hardware story.
A quick response to public posting of a vulnerability shows a better attitude at Adobe. Even so, there are two dangerous unpatched vulnerabilities to worry about.Adobe has announced in its Product Security Incident Response Team blog that it has confirmed reports of a new vulnerability in all currently supported versions of Reader on all supported platforms. It states that the vulnerability also affects Acrobat and that it will now develop fixes for all affected products.
The vulnerability was reported on SecurityFocus and called Adobe Reader 'getAnnots()' Javascript Function Remote Code Execution Vulnerability. The report includes proof-of-concept code for the exploit and states that the researcher who found it, code-named 'Arr1val,' tested it only on Linux. Adobe states that Acrobat and Reader versions 9.1, 8.1.4, and 7.1.1 are all affected and will be updated. Earlier versions are affected as well. Updates will be provided for Windows, Mac and UNIX.
The workaround provided by Adobe is to disable JavaScript in the Reader or Acrobat by following these instructions:
- Launch Acrobat or Adobe Reader.
- Select Edit>Preferences
- Select the JavaScript Category
- Uncheck the Enable Acrobat JavaScript option
- Click OK
Adobe will also work with anti-virus vendors to help them detect exploits of this problem. There are no reports of exploits in the wild, but proof-of-concept code is out there and malicious PDFs are not uncommon in the wild.
Another report was filed on SecurityFocus shortly thereafter by the same 'Arr1val.' Adobe says it is investigating this report. That report, Adobe Reader 'spell.customDictionaryOpen()' JavaScript Function Remote Code Execution Vulnerability, was similar to the other one with similar exploit code.
In addition to the PSIRT blog, Adobe will be posting information about updates on this to its Security Bulletins and Advisories page.
Adobe's response to this issue shows an impressive attitude change over its behavior just a few months ago. Its sluggish response to what came to be known as the JBIG2Decode bug brought criticism from the security community both for Adobes lack of response and help for its customers and for a very slow patch schedule.
We don't know how quickly Adobe will patch these problems, but it certainly seems as if it is taking the communications aspects of vulnerability response seriously, and that's a good sign.
Security Center Editor Larry Seltzer has worked in and written about the computer industry since 1983.
|
|
�������x}r8s;�iW1ŋvI�-5e[�KU�-EB��!)T�~f�M�Js۶D 7$���{$�W7-gD.]sfS?q;O
['w>��(ɑԫ�1mS�HnwݶFN=gP'^��> \?g3Q;Y|��t@oT|�� p'DFþ�=a�>$E%�k4ً�ᐨqG/�ad�y4�;U'iS[��wSա*v�25v+n
�/�@Z��#\DȁYRh�=Tݑm:���{ �-�Xd�UZL��b�6S!1kk�Tը>lY}@|ݑ|YCXw:Qt���A3Mu��֟CS�I&���q�#/<{m��bP+�M�z(#1h�ؕ
3Dz���gO�munisER!9Io�'|;%8]^��Cz�J�ݖUL_ȻH_�/Rx3o�f5
x�[&%94Ʉc�Pu��t:9�CsfZ[c�W1M�X�R
t$ϙu_ϝ�5��Hr
Ca)#p?c�%W�i�8�@r5)6�K .F7R<�?o�dz!C�C�Z9nVȨ�U7ө$ɛ!"G�9x��|!XsI��((�G���NlO}ٹ!jYY6'*daeIUis[dhE�ށ:Yt:%U.[nC�T��364>P�,H�!eݴ%��V)b1x�,VRSW,@�F�̶# )�&�3;Y0`���;}B_�Oi&8!9~��tD�AG66^�K
tcl���>#ä �p
V8;��tCuәa �{>�0���kBi=D�%�7
�l"&q}3 к`y�&@[@[�衟�#j{t
t�,/�= 0/ Zm���88ʼ��E�]u�b3B�ݷ|�{
5�#z[-[�X6x�G͙A :��q�0y��A.G))(I.BD(ZH�B�!A�lq���[$p Xx�d+��+ZzGBjK%'B�P*m=!đtܾZ*}-�5aGe�-n^
$�d3CCd0U Q<"`&�ˑea*0pDKa�k`DݞrA+żMCF�qI\�Z�Uj@�5�YQeMo9rH�z:uf�3x�tpĄ'HwT1%]�^>@���-Â�?9bh琱@DOA�Ќ�7_A}�x@6j!Y3=we
M
l$�T f ��DfO���~5lwfr�,{v?�Gs��^Z)/��R >5M+�} 8C��_gM�����cY!�O�&�QH OzBneHSy%ew{��Rrʳ"�#��C_7�X>ťHN(m�t'�й+>q^v.iԚv ~24D֒f�{ց$l�J�viZ�Z @-��24�6@Ȱ\k_X5QW0:���,�)��iY�l`cyt�E9Lɨ4>t:>{j
-j&{_&�TYW�C�XZ�rirX,y|�p6X"�@�7w�oIJ*6*g3XSĝ�zд\�"ҝz}@nzg@>:`3�ǟG
)a!�c$R+}ne�ͨԪP��-�"�|��@(
�K ؈|Ё*tdj²w잵ה�)._0�g7����v�*>���0f&6XC˦>ouqA̫%u�Dw֠~3�KJAUcϓ�asMD@kn�V2�&GmܡkC6fuE��s�Ʊ4St%ri9�p���&��gրzqHe� �/Za'�
C�ؚðyU_z?6��r]ilu�0q`*�Z3se�f+;��T*[Pfۻ(�Q<&�;alâ�#_��� C���>(epHl`_��\��> B�
�LRE\���~1��~1UŠP=
]�gw`uX�]OXL�+*�)K.pϟ��
sWyGfY?K�ygw%�eXY8�f�-��1�0kY
�/ÊTU5�i
~�>EV�6őG�@�q?@*:2�p`w��y�~�t=t@�qD��� �ԀH
5^�Fd.ba��J)?�oZK�YR�I�4�yZH]ŤX
�LkښR�r��ԃ!3~��b_@�UR�TڞO"�8KAG�^320"��;�wF\!vʬi~
r?Mqߎ�XA�m�k+sD
�ü�
�|30Jј<-*=>Y6AP$4Ϧy3iqS2ܪ�+_e��AM:w530Uf�fyr;ïJU05����r�ďun6Oa�*r1W2~
�:i�1-aNx[2|'@ d���Ѫ�)O��'A(՚Rb�xYô;9Qo@Homs11����To\OpGЍd��
m:R.��R
R=cx�Se}{c2�7OwOUUASF<:H�3$_@hOXM�] ?k7Ṩf�vmv뿌UcxP�R6Z|b\)�3Gzx�LaWPj�jz�D*>�ɧM�C� 7ѐ�F[G#n�$}!=֢,�A��7PU(V
�$�}�Vp8sZbke`W�F4`+^��}i
nD<��[ �1w�ʨXIV�ՕO��Oe3q1�GX=�y=�d6
�5C2t53y�qfGS=u(,+o�*MƱl��uP_�tS6dU��LJZZ$|p`��
N��@WqT2LP�|��ɷo��njC�SXp|
^?K�{e$ $"z��R#.=2��a7ZPf��#�991u/xyi`�zU*o��o!(0�H_dpCﻶ$\�auv�'@Ϣ.}i�4�}ֹIgŗC~|:ڗ�-~l1�|˾WM� $(��X�p���O"yzھ whg�^�py+ @@W;^Rl|h_/~t.:7�h_dcxεx\#�R?!pSV&<�f�Sڎ6�N
,#�Z[=8�0s�i��f@ tnN[7X0z!ӱB�ZMUc |
ڠl�Gk<�
VO�4H�\/O9!-�L�_vۭؓ�̆O�NI}i^w�7HUz�x
P>?'$c:� I"�I^U֩UdU)IW]YE㳏)G8}��G�xLߴ.�oҁ{&-3(��#{F�2{K7K{�U<Ϻ�7��]f+wB%-JKz9nh�p;D�%EȁqQ�#y�∶K`#j�>b_{+�&bi4W;�Tf{s̷u'|ȞFc�Բىy|yg>,d9��a}�4�؞qbL�ư�2F'`-ݺ�ܭ1J�3"q#ĠH[sMs ��_5�3�Z7:as*|"�Zy䘖a�~���oE�[�ά�(G3촉��ߏcLRF<7�)�2Kp1)%`PBH�/4y˭0LdT�/s�K[�⹏^}:lQߏo%~!Ӊ*Ͷ,CVtEbGI�i�ڥ,ϾX07
����
�sLJeҩã��$�ok�~
jcm>r2�w�41ga�JYt��+^_�9~?-L6ɹk���}C*�r�xT\W&�rv�O"P��?��s�,zP� �?FG[ܲ;7\@��&am_Xj�כI�Tl$iBVE0�W�S�p$�gsI8;��]H&f�Qww|z2�J �o.IU%6y�E��-ћƌ$܃
܋�>l�F�HWn DU{pJY*IVť
Ti$�O8|2�
�I�о��\eO<�gX%WPr�`V(Ê"t��z*k��ZW�{/��FRO�qD#�\g9~~݉�-|Q[�6%#u�wOtDŽҹŝI@l�\:Fo�M RT%qH Q+26:��5��L@;DCY'+�B/Ȩy>5�֖t~�gmy5)B�b3�!^�J�H-0\dr5`^�=
�!�v�|c7w�[#4[J;
85"⭥6���oӸ��*l9�Kr);e�V t�IάJEIDMF0� -���>�$Yp�0H8j� �H� |�+!D`�~�5
ԖZy�JJ,%<���@R8T1{%oNMiq�lj�
�
�l5Ɩ�K�.S:`51g�W݄5g�z:�#�H FlఈE8,"`���^�<3�(gG4�:g�Io�{]r�+%��=ã-]S�}�=ܐ^ Ů
�eLyk.�$!a�Kd�2H �~g+jw\hy]xyo�tW]�qǍ;���`�S�B `~R�bGvmk�Ȱ\tx�J��/q#�
�^ɓPгt;y)؍����K2�AK=vM|s >d7Y�]^,
$ρ�I慱,OR9|o�:S�/d:xfJg7�氇*b;��mm=�F�F84&�ګ�Tϋ(l1(i<�\��.Ƣ[5
�{�zjg徂eR4V<>uT/ _e\ZDYWϲ+��ky0G/�>nQ@ಡ*}z;��6���(
�
�'#��vDu%'�/t#ὀ�u��{F�~ )u
Wu���Z��XeG <>�[:��$"!)/7'c���`DjaW^�b���VL` =um!T&�.^"�{�
�ߚ'�u���ԋkm{�T�l�� ٩�)TRso��Z���ߦ�15�L,U[FPxAҼ���쥡i6�ǜMEfA儗oT9�^Us\�: G ]J1x~��[?N֘0ҿH�tL'�f<::Bߔ3JTH4i`Tp0{�7�|ZSS97�!Vi
�?6LˍZOk]챩�s3]$i<"}
�vgb+C(fUj"m_twS: 1 ����r&:2q.v!{?�d7n-)RjX�H>I�TnpWے"1�*_-T/U~�*�y=0'<'\YjJE�U0=j�ʘ0g[S0ơJn4r�ŗֈ�v�,TOಈG=zԑ8mxΆJZP-F={;S�\*AEWvx�%(Z<<~Q,턂R!FғQ�fĘ}�;kF[Q{Zah`ԦB�'Z�-'|͌V:m��A�OW1h}5X*<�1_*�J�@(fYir'
?]֏pY�FT*;a7BLk8�3DD#^r�{4bwڜN�³1A�{@>wZj��
�!�1�gGi>'߁1Z�Lb˿�JSGѠ�vqY�@��y+��DD��G�(cnBMF�h_R��fB��u�Ap
55yp7 %>�'ӣ0]_u:�`*.PnĂ�ؚ%Nf�ldaQ(�b:M�t?��|�Ǯ,%nx��KM قbyN��]ƒ�$�Bq0ӜhV+rK;:B+bzh,.6�:Ga]l�E_VC�Ĩҋci�?y�7nWV\k)hl?gg:^�ZSr�ROmj��7^���V
�Ck=W܄q�P��"v[��\rФo%�u�@���cFPkF
߬/?i�63;P(GJ/?��2Od}�,�?��2�Z_~5ۧF4��gW�vF?vs/Pe}�Ȁ�ڮq1?0ˌ_�,�^�~.3s �%e�}^�}^f'U>Cs(?(�-�/3a~2
*`2�d�!: _:��:>o~n2�f�f�ˠ?�?�}}ʠP9�9c|�3w�Y@�{�f�wAI]'I�z�ʛ�|ּƅ)��qFy)8ΠR�E�৬rXB]eנu��xvY^]Y��X�;Yo�[췡\�,q1y}³2i_\(��bi3Q*K�5ýEY�R�78k�Ԍ�f�z:t}aO��vHyѿn~hlR/O>�*8�uߚL�Yu8� %��
~xY&ƀY8':8�an-g�j/tIWv/lg
��='ݹ�fSH�!L�&lOv5%^#%&p-4v$ѓ]R��
�`&5�
0$L6 qS)�,#!1苄I�M&Z�{J�F!-\s~�M�o��9ao5RFXk;NLt:v�>ku�o�-"6G�4 (P"�q} !1a�S$��H!+@554q�twkd9HR�=�I�*4UMf�ْ�$u[w?��*aʹD.vKΚVAxrFx*�D����A{g;*عK˜0L1Д8v2COA#t
��e[b |kc'p�g!MX��/B;:SA\W��Cr�⁜"i�K%:Ɛ�=-���)0�p,\f�@��6�A�|�eKo��x7>zQ[`k}ڔ�~���0qGĶ2C|R2Oepv��Rvc���dLw�9qgSk@Eq'˫Py
6s6�N@xmӕhWɬ�Qt6-�5/#�^D&+8~m=fu�+U�rcd+�{f�:eϐ�^E�tl'B
�%` GY�U`kv3�8u
vKѪ
V�7"60ޏw�P�l@��xS
bz
\bգv E9b�릍\
�Ѩ�pSTؕEǮ��ds^kǺgymE]Y>�Ѝ5*. �mv$ѿfp�a�lX�� ^|M�w�q�`2[oz�O϶pA&}+\�X�I@
qk.-�ua4,Lb9��"[^QI�(`�vX�3�|,@a)5BO�Qo��O80�Ux|�-h\�}{ݘ_e9LgѼ93E~1Z�U9wm�jWx�ozc|>[zD,5b;tP�9˓z��0���
��s͙!�c׆)�a+cPMXjcL1GN1�y,X�+0_�k��Ack�DeU��|t�GYEL`&;]+�N%t&ж?gTH0H6�c?p�f��@˽]�Ag"a?<#�/ah(�`y��ba*"e��}q$Y
|
Network Security & Hardware 
