Adobe releases an update that addresses the zero-day vulnerability in Adobe Reader and Adobe Acrobat. The flaw could have been exploited to allow for arbitrary code execution.
released a patch March 10 for a zero-day vulnerability under attack by
for Version 9 of Adobe Reader and Adobe Acrobat
comes a day earlier than
the company had planned. Patches for earlier versions of Reader and Acrobat are
still slated for March 18.
The vulnerability is the result of
an array indexing error
in the processing of JBIG2 streams. Hackers can
exploit the bug to corrupt arbitrary memory using a specially crafted PDF file.
If successful, attackers could gain control of a compromised system.
Though security vendors reported that attacks may have started as early as
January 2009 or December 2008, the existence of the vulnerability did not
become widely known until February. Though initial reports indicated disabling
and did not address the underlying vulnerability.
The week of March 2, security blogger Didier Stevens posted a proof of concept
for an attack that exploited the vulnerability without user interaction.
Security pros offered a variety of advice on mitigation, some of which is
"Today, we posted the Adobe Reader 9.1 and Acrobat 9.1 update, which
resolves the recent JBIG2 security issue (CVE-2009-0658), including the
'no-click' variant of the vulnerability," Adobe officials said in a blog
post. "We encourage all Adobe Reader users to download and install the
free Adobe Reader 9.1."