Accessibility

Security bulletin

Update available for vulnerability in versions 8.1 and earlier of Adobe Reader and Acrobat

Release date: October 22, 2007

Vulnerability identifier: APSB07-18

CVE number: CVE-2007-5020

Platform: Windows XP or Windows 2003 (Vista users are not affected) with Internet Explorer 7 installed

Affected software versions: Adobe Reader 8.1 and earlier, Adobe Reader 7.0.9 and earlier
Adobe Acrobat Professional, 3D and Standard 8.1 and earlier versions, Adobe Acrobat Professional, Standard, 3D and Elements 7.0.9 and earlier

Summary

Critical vulnerabilities have been identified in Adobe Reader and Acrobat that could allow an attacker who successfully exploits these vulnerabilities to take control of the affected system. This issue only affects customers on Windows XP or Windows 2003 with Internet Explorer 7 installed. A malicious file must be loaded in Adobe Reader or Acrobat by the end user for an attacker to exploit these vulnerabilities. It is recommended that affected users update to Adobe Reader 8.1.1 or Acrobat 8.1.1. This is an update to resolve the issue previously reported in Security Advisory APSA07-04.

Solution

Adobe strongly recommends upgrading to Adobe Reader 8.1.1 or Acrobat 8.1.1. Users can utilize the product's automatic update facility. The default installation configuration runs automatic updates on a regular schedule, and can be manually activated by choosing Help > Check For Updates Now.

Alternatively, the Adobe Reader 8.1.1 update files can be manually downloaded and installed from:
http://www.adobe.com/support/downloads/product.jsp?product=10&platform=Windows
The Acrobat 8.1.1 update files can be downloaded and installed from:
http://www.adobe.com/support/downloads/product.jsp?product=1&platform=Windows

Adobe will be providing an update to Adobe Reader 7.0.9 and Acrobat 7.0.9 at a later date. For customers who can not upgrade to Adobe Reader 8.1.1 or Acrobat 8.1.1, Microsoft has provided an update to resolve this issue. Please refer to Microsoft Security Bulletin MS07-061 for more information.

Severity rating

Adobe categorizes this as a critical issue and recommends that affected users update their product installations.

Details:

This Security Bulletin addresses the issue previously reported in Security Advisory APSA07-04. Critical vulnerabilities have been identified in Adobe Reader and Acrobat that could allow an attacker who successfully exploits these vulnerabilities to take control of the affected system. This issue only affects customers on Windows XP or Windows 2003 with Internet Explorer 7 installed. A malicious file must be loaded in Adobe Reader or Acrobat by the end user for an attacker to exploit these vulnerabilities. This issue is remotely exploitable.

It is recommended that affected users update to Adobe Reader 8.1.1 or Acrobat 8.1.1 and apply Microsoft’s update as described in Microsoft Security Bulletin MS07-061. Adobe will be providing an update to Adobe Reader 7.0.9 and Acrobat 7.0.9 at a later date. Adobe Reader 6.X and Acrobat 6.X are not vulnerable to this issue.

Acknowledgments

Adobe would like to thank pdp of gnucitizen.org for reporting this vulnerability and for working with Adobe to help protect our customers' security.

Revisions

November 16, 2007 – Bulletin updated
October 22, 2007 – Bulletin first created