Accessibility
Adobe
Sign in Privacy My Adobe

Security bulletin

Security Updates available for Adobe Reader and Acrobat

Release date: June 9, 2009

Last Updated: June 16, 2009

Vulnerability identifier: APSB09-07

CVE number: CVE-2009-0198, CVE-2009-0509, CVE-2009-0510, CVE-2009-0511, CVE-2009-0512, CVE-2009-0888, CVE-2009-0889, CVE-2009-1855, CVE-2009-1856, CVE-2009-1857, CVE-2009-1858, CVE-2009-1859, CVE-2009-1861

Platform: All Platforms

Summary

Critical vulnerabilities have been identified in Adobe Reader 9.1.1 and Acrobat 9.1.1 and earlier versions. These vulnerabilities would cause the application to crash and could potentially allow an attacker to take control of the affected system.

Adobe recommends users of Adobe Reader 9 and Acrobat 9 and earlier versions update to Adobe Reader 9.1.2 and Acrobat 9.1.2. Adobe recommends users of Acrobat 8 update to Acrobat 8.1.6, and users of Acrobat 7 update to Acrobat 7.1.3. For Adobe Reader users who can’t update to Adobe Reader 9.1.2, Adobe has provided the Adobe Reader 8.1.6 and Adobe Reader 7.1.3 updates.  Updates apply to all platforms: Windows, Macintosh and UNIX.

This update incorporates the initial output of code hardening efforts discussed in a May 20 Adobe ASSET (Adobe Secure Software Engineering Team) blog post, as well as externally reported issues, as detailed below.

Affected software versions

Adobe Reader 9.1.1 and earlier versions
Adobe Acrobat Standard, Pro, and Pro Extended 9.1.1 and earlier versions

Solution

Adobe Reader

Adobe Reader users on Windows can find the appropriate update here: http://www.adobe.com/support/downloads/product.jsp?product=10&platform=Windows.

Adobe Reader users on Macintosh can find the appropriate update here: http://www.adobe.com/support/downloads/product.jsp?product=10&platform=Macintosh.

Adobe Reader users on UNIX can find the appropriate update here: http://www.adobe.com/support/downloads/product.jsp?product=10&platform=Unix.

Acrobat

Acrobat Standard and Pro users on Windows can find the appropriate update here:
http://www.adobe.com/support/downloads/product.jsp?product=1&platform=Windows.

Acrobat Pro Extended users on Windows can find the appropriate update here: http://www.adobe.com/support/downloads/product.jsp?product=158&platform=Windows

Acrobat 3D users on Windows can find the appropriate update here:
http://www.adobe.com/support/downloads/product.jsp?product=112&platform=Windows.

Acrobat Pro users on Macintosh can find the appropriate update here:
http://www.adobe.com/support/downloads/product.jsp?product=1&platform=Macintosh.

Severity rating

Adobe categorizes this as a critical update and recommends that users apply the update for their product installations.

Details

Critical vulnerabilities have been identified in Adobe Reader 9.1.1 and Acrobat 9.1.1 and earlier versions. These vulnerabilities would cause the application to crash and could potentially allow an attacker to take control of the affected system.

Adobe recommends users of Adobe Reader and Acrobat update their product installations to versions 9.1.2, 8.1.6, or 7.1.3 using the instructions above to protect themselves from potential vulnerabilities.  The above updates apply to all platforms: Windows, Macintosh and UNIX.

This update resolves a stack overflow vulnerability that could potentially lead to code execution (CVE-2009-1855).

This update resolves an integer overflow that leads to a Denial of Service (DoS); arbitrary code execution has not been demonstrated, but may be possible (CVE-2009-1856).

This update resolves a memory corruption vulnerability that leads to a Denial of Service (DoS); arbitrary code execution has not been demonstrated, but may be possible (CVE-2009-1857).

This update resolves a memory corruption vulnerability in the JBIG2 filter that could potentially lead to code execution (CVE-2009-1858).

This update resolves a memory corruption vulnerability that could potentially lead to code execution (CVE-2009-1859).

This update resolves a memory corruption vulnerability in the JBIG2 filter that leads to a Denial of Service (DoS); arbitrary code execution has not been demonstrated, but may be possible (CVE-2009-0198).

This update resolves multiple heap overflow vulnerabilities in the JBIG2 filter that could potentially lead to code execution (CVE-2009-0509, CVE-2009-0510, CVE-2009-0511, CVE-2009-0512, CVE-2009-0888, CVE-2009-0889).

This update resolves multiple heap overflow vulnerabilities that could potentially lead to code execution (CVE-2009-1861).

Additionally, this update resolves Adobe internally discovered issues.

Acknowledgments

Adobe would like to thank the following individuals and organizations for reporting the relevant issues and for working with Adobe to help protect our customers’ security:

Revisions

June 16, 2009 - Bulletin updated with link to Adobe Reader UNIX update
June 10, 2009 - Bulletin updated with link to Acrobat Pro Extended update
June 9, 2009 - Bulletin first created