Network Security & Hardware - eWeek


Battery 500 Project Charged Up over All-Electric Cars
Charting the Final Frontier--Google Maps for Indoors
Get Smarter Technology on Your Mobile!
  Network Security & Hardware


Adobe Preps Patch for Zero-Day Vulnerability for Reader, Acrobat



 By: Brian Prince
2009-05-04
Article Rating:starstarstarstarstar / 4


There are 0 user comments on this Network Security & Hardware story.


Rate This Article:
Poor Best
Adobe Systems plans to release a fix May 12 for a zero-day vulnerability affecting versions 7, 8 and 9 of Adobe Reader and Adobe Acrobat. The vulnerability affects Windows, Mac and Unix operating systems. Adobe also confirms a second vulnerability in Adobe Reader that will be addressed in the forthcoming update for Unix.

Adobe Systems is planning to release a patch for a zero-day flaw affecting Adobe Reader and Acrobat next week.

This is the second zero-day flaw known to have been found in Adobe's Reader and Acrobat products since March. On May 12, Adobe will push out a fix for versions 7, 8 and 9 on Windows PCs, as well as updates for versions 8 and 9 on Mac and Unix machines.

The Adobe Reader and Acrobat problem lies with the getAnnots Doc method in the JavaScript API in the vulnerable versions, which allows remote attackers to cause a denial of service or execute arbitrary code via a PDF file that contains an annotation and has an OpenAction entry with JavaScript code that calls this method with crafted integer arguments.

Resource Library:

Adobe also confirmed a second vulnerability in Reader affecting only Unix that will be fixed in an update. In that instance, the CustomDictionaryOpen spell method in the JavaScript API allows attackers to remotely launch a denial of service or execute arbitrary code via a PDF file that triggers a call to this method with a long string in the second argument.

"This issue will be resolved in the upcoming Adobe Reader for Unix updates," said a post on the Adobe PSIRT (Product Security Incident Response Team) blog. "Currently, we have not been able to reproduce an exploitable scenario for Windows and Macintosh, but we will continue to investigate."

Proof-of-concept exploit code for both flaws has already begun circulating the Web, though Adobe maintains it is not aware of any attacks. Users are advised to disable JavaScript in Reader and Acrobat until a patch is available.

Making a patch available for Adobe Reader and Acrobat, however, is only part of the solution. According to data from Qualys, many users are still behind in deploying a fix released by Adobe in March.





  Reader Comments: Adobe Preps Patch for Zero-day Vulnerability for Reader, Acrobat
>>> Be the FIRST to comment on this article!
 

 
 
>>> More Network Security & Hardware Articles          >>> More By Brian Prince
 


x}r8s;iW1E%Uȶ\֔ey,Uyc# IlS$rO 7](ɗjٮn&!~ ooOD.0 :ܢdC3齿O$mL9PKϠ^#WZj:@a5˜؍Nz&pDd>J`OS{SM)5'Ӡ6ߙ =/3mB}F7\3Ѣmgb ^Pk$ȁ_ E9J~=K Qݯw,8"a}c$F g&4ob Q!)R/F<wkb| 5{f *;U;a=@SѠ*v25vn/@^c\ȁy4 *YNrDƞ4IC d!LJ^`:r,#G^C]ݱR,RE͌iAw4ԬkScG 7G(&$gtjv?ƭ?(K8Q ̋5g?LGN؎MEnڏU[۾tisqHfrdKHU6)@2xZ`:vzta_eY33[~i 푪uV(JP+{6{2WMugVoo>ڿ(TU-e*G,;ڎжD^ԢZvN{ـ\>/.ɣ N|'k[?;0Q\&*+Jx4K2A >,B.rM7JQr+z^T Z, Ԏ$0L"ÌK3~̢(:2q}<8-AoA>CYf0R*CA-tV؟1㝩S9;y\nwMN۟;'>g:Qڟm3Hz Otx$Yz>540V+%%ULxE$Y)|н 5 @ \^a f835Cuӹݰ=Wԇ9ȩupC m|.6ld$4(sw[0&w& zrWtc0TE}vAC,AX' 6)@}9\P_ڝfZȴc@] cRR,H@ "AѓF *t :gsc"C#'A$W$_KI/\fv"BI*r K)TSh!+KAf63tYILu]_5 _ȉ#"0%X z Oje[r,4T(k1 #+z:0G@.(%e&x6ұǞ`?^0~ᏘD)t0τ&h㱩0&3Tl2u)f+7OLZԛ`آ_Mdkflmf`BB13 =gƠ'_u˙Ns hLBS4C*=;羜1E- \x v dZNP/h|WY 3#DDVhd6G3B)B2{">[Y3Tp^*:# PJ*"#P3>ũp(mtf00+>q^.iz ~24$Rf{ҁ$l viXZ @)24F@Bk_X5͇QV(: <)T aYlcy!ʦCwz YIO=M!tv!{jMj'O;_*P?>2eiy#[ꑪ+R^Y;YaPe\)3OfRSy55 sd&]TZ@4`Dk pHE&@|Zkh y| " L19J2b*[ U) &jIx-"P/?Òd4Q }=k7 ﳰ|x+큅YW`faSƘ=H` 3R_̑<^I`)ұ)N<:ar*-Ï vOG.Ca&:`JT.Ь 0T'Ki]twVXN v|~Zh"`E{ԴG+%U$jl|TZ܏:{>-LH+0u70-tpC)T뵢¾_YiWg{)h"Q0jF8FdD ʈ#SPOT<ͯ!'8՞G*Iϛ5G$1*@7Z Sғe4 O"cIpR|5}M>ڛA6Z]G07O<cpƃ~w"y@F{N=D8n"206E}/PG]Qro ΗDǜOb+>A׌]:w9*<dkr \5AFp6xj=5cM?Lقܱ όB-sZcLdSSp]sO7a <$eu z%}u''DyT||/I6;`kfP.T*E:k@"a]&k꾬=M~qDyC[Tޫ1ZeR/(SY-q'&F.҂^S43 ac>/h)ր EqoTV #-ϼ \ 5ry%&Q j>'wiŏah(5rv=C>PQKKIuzb*ŪR.$ yUr;-6X+(# 0O6" ޜb|[ e|lԤR/J%ȧ2¼_vF_bIў@b0haz%CMh]! Tmn=e$I`U&LX5 zޯT!뷲ŒO[$X+JJIt18pxnD}~UL&27%6{= n y俁qOj͏{C! HRQ=YrrZRUdP-xlē/ %"PE V*Sxo~.Rȓ#$ |͸ D*u.O8$#{.ONw50oapV=(; J@F䆷G$bwmBɾW2z^^NO;k6|v> 72CH"r z]ۺй_>]&#rѹlK^+΃ G E!;fW!yN.ڭpoFSLo2YGR_=ֈ0Ck%/һ>m_sf녬kj ^Ok-We.'27Eu8eUxy_aZ[XȬE`|]LWktvs}BHH0]R ~tiumN .@AVB R`2"(BS.iDO-xv>]8Sj}F/JN~vR-[I7c+t,'D{_q+5=?eU['v>!;>48r㿜yIG$ !rz pxc`sAZ}n_iԎ8%t \$"{-~'0 cl9aR)%Rz'U'i.Z5Kb -RJ<:ȡ#%tBU]3=I򲒔Y'ʈ&H. 駢Lfr5Z!I=[Ur{@İ&{6wg3K:;/ Ý ,MY+߬U^f Zcyup_=v %lNY* (s6rw"ExA͗!gC޳l{T,еlLid@TӧCVFlmDkO,Ank8.۰_=?P.FZĮUrc䰎ʦ jptgLjܳRpfi#G.{ҺI09n}%XDRoBwGH4|9~ÿ§,F ;s\3g伉y+nl{25Kdϟؗ{vO r<]1hnhlLgI"+W{U7}\8%/r{Ѧxkd*,6#c,nv(fެx zi12R3-4|#qwy~cI.~(TR. /fO,J骇\%(\|MT-/^\RK>]_ϫ@< b]_ I{Oz[N Ģ7i62cŸ6@!{zm MN0i zcKʹ39adJ6˖wVp'Sc;HF'%g&?-c-ێ!%hvqmW8"8[y$N0? W^L·⎭zgQy}|x|[q$[+' g|o#'꿛 ]%M ֚{sp$~qI̽V&Qq*w#OƩ(>ql6h`jox?̴afw|.kr;#b#2SvϾ0ti m1xfA]a{K&I|" ifɓipq>h(EZŇ)68.,#טV ÂYsbYd}JXpu#R-՟FO@\2̦ Ύ>=\Fơ>ɜs^>=; ' D`QTQ<(oɕxwcոψg@>Ǵue".dzcf>P<ڎ,DcP pY% 1Rf)xt2R8ҷ: ۉ(YЕu,& xJg؝jBDext9qW&,8(6ی & =j*I"-H_n9/E O&Nk/]PaėjT.|13@!#L +$>O- )mwK ~#t>dpGku[~:w`jG:32ph@kBPiWF͚H4A& jP CB3Kd/eV_\2v&WkvC\^sZ2EmL8;kSMCD/ι؛)uF4C 7aPaѯIZa]򎕊 Hӳ}bDL= /uA5+b )̇@xO_yq<}XgJD`H6m E(qrh] be@ kV^$D1 f$l9J\fTF,P>stb ]:G[҉3s);MRkZ%Q$| OF|'1W"߁iWI4k>Ɩl&zKm_$WJ`B%qdt sVpќqm\͘xT-Ju ;VJhܣ#Fx>*‹>e\ !|nyIykKzQBNSzG-E,DOspҤEdHȱ9FkSJ]\ aY.L`R"x #ahO|%,L+Y@mɨfT %/~ |7-0jhi!੒> yn'ZddHǎ5S'PZv`~6ZD+_aHW2[L[]oL B#,&%]yA?XxX=6o[۹15 T~HUx^늪ġe•:Mצ; .q߂0xH<~BXN~{=B{[\|pv/`Z?jjFvBi.=ᖈAє{<:x2fIWq%b؁ch o-K&$!g'uwZdo|hGʏ7[zWk~ &ˏPukst^q$p抇/AMc@DX\{M5k/%tg.}ԅy%sfOhp#hin./A؇R<m,24 S-Ls@@J_&loS:4NT%[" 抇{reR͟h0u*9 4ءgyB)kFRu;Ba_W8Ei!I1o}A2l*͉xHĴJX R oYxzX$E0O ,n|80"!HHֆfTx)|tBtAn :ͅacW P$ş-o^x6\q% |q5C.bxM\"ūD04wŷznoޅm{ T"{mYo[ڽk39n{{ŷidbWݲ:pX}/Δh/{*Gg]:mV);P3WWbply3#s3Ղ( ƗY'$8&wG8c[Yw+Cw ,íy.X.;t z;NsLM9|% Zk^Yr+ȈZ~j\!1cu)B UMz yԥBߔ@ʡVH4`Wnh1]9񤦘!Vi fDiF|1UL(_u|)GnJY^mIrϐ#B#P |'C7ݫOR|UkG?ɺixx#ߐJ" r[jh1sIM $ft&7Az巉[#4، Pm¢ϴHbSx$6㷝Fd!$<~ S;"ΐ!,%ޅ|z['AU}^H?K-1+2sjDl/ulߴZ rپ_u#<<gD&8 xt90vy<@'. n9S3y9a6$.+JVޱ̃  z>K:ǪC^&7ScPx-Nr9Gz}_xs~6L-} đWIED#ThFJ[!}s uϤۧ 405 <RI~9x {Ό]BNb1Ŝ!."[sfӖiAӃh\11Fiŷ~(l_;b21c|>Ocx/ $N;O.JgeEt0 s!L v7U;Ihy~ZVS x`k,r&ejoJ2ܣq?U_WLhYK7C'[B@ g>򵉑`:ϒ8 s!aZ;ܑP6IB uXRFB(6s a{rniE'虞G(+ݩ2xCbwT IR tX(r4M=Vre<>śfnV?-4W )WTx 4r#c)CdQ>a\S;k.5iv?O;WN_} RKG٩;ǽ/'/gurkXbv>L5m^h+LJy22 gn)sC9ӾZԞpm.4 "GdȀW.}V Y\m퓳EAgpRv}Y QJ/Naa_xc:=nj6Z[AgeY'>tɉcdhw>r:x) ѯ\js@1AC|o_Ow5Cx_m];^dBP~(Ay/9}hp(?g@ |OPi}y'Xf7c|7.fv3t3w?f'esF9g QޅnF9e^\f%e@2OK/C\\e5u~}o@?֗_sV99@rߛ o2ڿ࿤ ; 9k]K8kgK"*SV9L.2P*(i7{ZiU+\W~ y{'sg+I49a(銪gMU噧fZkǸj:tvņ__BKHe^-(78%^}MJQ4 k 7b_EY<.}:=WVvl+JE._UXn1Ɗ1SB̜Ld[Af "X 5̽'7\WW/3yKw3+:Yt{r *%݆. K9\ x#r{~iM.ڧ.cZDpqi;ZُGswՕ \~1b 9bg4sOWf)C]CoBgv&t eaơ[=<gA7gnT)pF F^)RK|c ,~u)hعO>vM)5Z(IJ3x"ބ]1ԌnC 9w>*%U-)UTj%wWrD&`8H= :@cR 5W9 طVR`" *s>P`2_䫔:84Cs艝V'qC>l5f@ WR1=:1zIh1Se<͛Y8/E5/qdv3:c(27J,5g{3ЫD)A.^s/7;tp6 ߄-yk]EL҃ysv>2hjy }bG5ǝa,e܁zXD$`I\3|̪ 009w]״l>^n6-LGe @ 哕ASVMΊK\ZxfɳX|6אvA὚ۀ[xWst#7X[Nƀ_Pnš8݈89p<y x_ ˝X`7. c@9?cac6H_,4϶{3[9˽Vuu7L2+7gh@@rvi:|'svԥnF;po/o.; CLel(3>/DBlvKzHYUҁ_Os{=$#cGpM>qX|HgݥMw 0"3>m?'.}N5+J' "@"d̴5[Pŗ;5 m''84àn@ܺQѺ%76D}҂A 8D7#D**k,^z$ LEΠpCp::hՂG Xȸ׬[̩[) qy6`gx`P a BnXe܌1uF®5t-vѩߩ8o^sQaW_<̿tc='-AU , =[=<;ɿ1 xV`]cͱWRd2GB 0MnZ-֪8҄o/R\F$acYd38+)ؐssOL;acJءBLNKPoO0Ux|-\u;Mr,S0#ŸEr)zW~Nq̨ʹcaR6k xٜջS$ҩB}OY|Ԃ`!cXqk @c6: ]<ϺIQ3|J;O_]<\{&L+ 92lt, ؑt#v[qrR.095GB¬cT 1M(_,N-n$oB@S 6.xCG9,+?ˋ}P ʜҗyz ^Mf}')VS/ρ/P>I*'.故G aebs?r^k/oY Yr /<|xly(~'g(FRqO\||8(>]codi-/=n|pty*-ӻ>mA0SXiC"׳/ .I|>Ǭy6W_1:M4ZQwN㛼VtƢI:6pzR/jŭ{g;a+rBk0?-۔p&s)# Ma쵕"kxTɉxi07Nw6Є В b7i1ղwSY!