Educause Security Discussion mailing list archives

Previous By Date Next
Previous By Thread Next

Critical Adobe Reader Vulnerability

From: Adam Carlson <ajcarlson () BERKELEY EDU>
Date: Mon, 23 Feb 2009 13:38:25 -0800
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

For those who haven't seen this yet, Adobe announced a critical
vulnerability in their Adobe Reader software last week.  The issue is
exploited when a user has Javascript enabled within Adobe Reader and
opens a malicious PDF file.  This could result in system
compromise/execution of arbitrary code.  There is currently no patch for
this issue and Adobe has announced a patch will not be issued for over
two weeks.  I've read some reports that indicate it affects Windows, Mac
OSX and Linux systems and it is currently being exploited in the wild.

For more information, please see Adobe's announcement here:

http://www.adobe.com/support/security/advisories/apsa09-01.html

Here's another site with slightly more information:

http://networkcomputing.in/Information-Security-023Feb009-Adobe-Warns-Of-Critical-Vulnerability-In-Acrobat-Reader.aspx

For information on disabling Javascript in Adobe Reader please see these
postings about changing the appropriate registry keys:

http://www.acrobatusers.com/forums/aucbb/viewtopic.php?pid=44321
http://www.shadowserver.org/wiki/pmwiki.php?n=Calendar.20090221

We have not yet decided on a remediation plan in my department but it
will probably be either a login script making the change or BigFix (our
patch management solution) pushing out the change (or both).  It is
slightly more complicated than it could be because it is a per-user
setting rather than a per-system setting.

If nothing else, I will send a message to our staff letting them know to
be extra cautious when opening PDF files from unknown sources.

Best of luck,

- -Adam


- --
Adam Carlson
Chief Security Officer
Information Technology
Residential and Student Service Programs
Tel: 510-643-0631
Mobile: 510-220-2477
Email: ajcarlson () berkeley edu

"Most of the things worth doing in the world had been declared
impossible before they were done." ~Louis D. Brandeis

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAkmjF1EACgkQT0QSLt7kiaCm7wCdEL+0/87jqEyVmmk0Z5/VQNa5
3CsAnir51WtgPFbt6wc5tMHY6TJZAIFb
=aoyz
-----END PGP SIGNATURE-----
Previous By Date Next
Previous By Thread Next

Current thread: