Educause Security Discussion mailing list archives
Critical Adobe Reader Vulnerability
From: Adam Carlson <ajcarlson () BERKELEY EDU>
Date: Mon, 23 Feb 2009 13:38:25 -0800
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 For those who haven't seen this yet, Adobe announced a critical vulnerability in their Adobe Reader software last week. The issue is exploited when a user has Javascript enabled within Adobe Reader and opens a malicious PDF file. This could result in system compromise/execution of arbitrary code. There is currently no patch for this issue and Adobe has announced a patch will not be issued for over two weeks. I've read some reports that indicate it affects Windows, Mac OSX and Linux systems and it is currently being exploited in the wild. For more information, please see Adobe's announcement here: http://www.adobe.com/support/security/advisories/apsa09-01.html Here's another site with slightly more information: http://networkcomputing.in/Information-Security-023Feb009-Adobe-Warns-Of-Critical-Vulnerability-In-Acrobat-Reader.aspx For information on disabling Javascript in Adobe Reader please see these postings about changing the appropriate registry keys: http://www.acrobatusers.com/forums/aucbb/viewtopic.php?pid=44321 http://www.shadowserver.org/wiki/pmwiki.php?n=Calendar.20090221 We have not yet decided on a remediation plan in my department but it will probably be either a login script making the change or BigFix (our patch management solution) pushing out the change (or both). It is slightly more complicated than it could be because it is a per-user setting rather than a per-system setting. If nothing else, I will send a message to our staff letting them know to be extra cautious when opening PDF files from unknown sources. Best of luck, - -Adam - -- Adam Carlson Chief Security Officer Information Technology Residential and Student Service Programs Tel: 510-643-0631 Mobile: 510-220-2477 Email: ajcarlson () berkeley edu "Most of the things worth doing in the world had been declared impossible before they were done." ~Louis D. Brandeis -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAkmjF1EACgkQT0QSLt7kiaCm7wCdEL+0/87jqEyVmmk0Z5/VQNa5 3CsAnir51WtgPFbt6wc5tMHY6TJZAIFb =aoyz -----END PGP SIGNATURE-----
Current thread:
- Critical Adobe Reader Vulnerability Adam Carlson (Feb 23)