Adobe Reader is vulnerable yet again

I figured it would happen eventually, but not quite so soon. It appears that Adobe Reader is suffering from at least two more zero-day vulnerabilities. Here’s the low-down.

I figured it would happen eventually, but not quite so soon. It appears that Adobe Reader is suffering from at least two more zero-day vulnerabilities – less than two months after the JBIG2 vulnerability.  Here’s the low-down.

All currently supported shipping versions of Adobe Reader and Acrobat (9.1, 8.1.4, and 7.1.1 and
earlier versions) are vulnerable to this issue. Adobe plans to provide updates for all affected versions
for all platforms (Windows, Macintosh and UNIX) to resolve this issue.  The vulnerabilities are in the JavaScript engine of the Adobe products.  This, by the way, affects both Adobe Reader and Adobe Acrobat.  The vulnerabilities exist in two JavaScript functions; getAnnots() and spell.customDictionaryOpen() and both allow remote code execution.  One way to protect yourself is to disable JavaScript – see the simple instructions from F-Secure.

Many people made this recommendation when the last vulnerability was uncovered (jbig2 vulnerability), but it just seems to be louder this time; find an alternative reader to the Adobe Reader product.  If you need an idea for what is available out there, take a look at PDFreaders.org.  I know that I have made the recommendation where I work, but it might not be that easy.  Corporations sometimes will rely heavyly on Adobe Reader to view custom business forms that are used on a daily basis with customers.  That reliance will often show itself in the in-house applications that make calls directly to the Adobe DLL.

You can read a bit more about the challenges of replacing Adobe Reader and Acrobat here.

Critical Adobe Reader update – Upgrade NOW!

If you do nothing else today, make sure you at least upgrade your users to the latest version of Adobe Reader.

The vulnerability was announced back on February 20th, but now Adobe released an update to their Reader product.  You can see the bulletin here:

http://www.adobe.com/support/security/bulletins/apsb09-03.html

There are a few interesting things to note.  As indicated in a post by Ryan Naraine on ZDNet, the updates are for Adobe Reader 9 only.  The most frustrating thing right now is that in their infinite wisdom, Adobe did not provide a patch update for Adobe Reader (a file with the MSP extension) which can be applied to your existing installation of Adobe Reader.  Instead, they simply point to their standard URL to download Adobe Reader.

Acrobat 9 Standard, Acrobat 9 Pro and Acrobat 9 Extended for Windows are all available as MSP patches.

Don’t wait, upgrade your users as soon as you can because this is a nasty one.  Users who download a malicious PDF do not need to open it to fall victim to that flaw.

Hopefully, Adobe will release a patch file for Adobe Reader soon.