Adobe Patches Zero-Day Vulnerability

Adobe releases an update that addresses the zero-day vulnerability in Adobe Reader and Adobe Acrobat. The flaw could have been exploited to allow for arbitrary code execution.

Adobe Systems released a patch March 10 for a zero-day vulnerability under attack by hackers.

The patch for Version 9 of Adobe Reader and Adobe Acrobat comes a day earlier than the company had planned. Patches for earlier versions of Reader and Acrobat are still slated for March 18.

The vulnerability is the result of an array indexing error in the processing of JBIG2 streams. Hackers can exploit the bug to corrupt arbitrary memory using a specially crafted PDF file. If successful, attackers could gain control of a compromised system.

Though security vendors reported that attacks may have started as early as January 2009 or December 2008, the existence of the vulnerability did not become widely known until February. Though initial reports indicated disabling JavaScript would solve the issue, it in fact only addressed certain exploits and did not address the underlying vulnerability.

The week of March 2, security blogger Didier Stevens posted a proof of concept for an attack that exploited the vulnerability without user interaction. Security pros offered a variety of advice on mitigation, some of which is listed here.

"Today, we posted the Adobe Reader 9.1 and Acrobat 9.1 update, which resolves the recent JBIG2 security issue (CVE-2009-0658), including the 'no-click' variant of the vulnerability," Adobe officials said in a blog post. "We encourage all Adobe Reader users to download and install the free Adobe Reader 9.1."