Accessibility
Adobe
Sign in Privacy My Adobe

Security bulletin

Security Updates available for Adobe Reader and Acrobat

Release date: March 18, 2009

Last Updated: April 9, 2009

Vulnerability identifier: APSB09-04

CVE number: CVE-2009-0658, CVE-2009-0927, CVE-2009-0193, CVE-2009-0928, CVE-2009-1061, CVE-2009-1062

Platform: All Platforms

Summary

Critical vulnerabilities have been identified in Adobe Reader 9 and Acrobat 9 and earlier versions. These vulnerabilities would cause the application to crash and could potentially allow an attacker to take control of the affected system. There are reports that one of these issues is being exploited (CVE-2009-0658).

Adobe recommends users of Adobe Reader and Acrobat 9 update to Adobe Reader 9.1 and Acrobat 9.1. Adobe recommends users of Acrobat 8 update to Acrobat 8.1.4, and users of Acrobat 7 update to Acrobat 7.1.1. For Adobe Reader users who can’t update to Adobe Reader 9.1, Adobe has provided the Adobe Reader 8.1.4 and Adobe Reader 7.1.1 updates.

These updates resolve the issue from Security Advisory APSA09-01 and Security Bulletin APSB09-03. Users who have previously updated to Adobe Reader 9.1 and Acrobat 9.1 for Windows and Macintosh need not take any action.

As of March 24, Adobe has also made available the Adobe Reader 9.1 and Adobe Reader 8.1.4 updates for Unix.

Affected software versions

Adobe Reader 9 and earlier versions
Adobe Acrobat 9 Standard, Pro, and Pro Extended and earlier versions

Solution

Adobe Reader

Adobe recommends Adobe Reader users update to Adobe Reader 9.1, available here:
http://get.adobe.com/reader/

Users with Adobe Reader 7.0 through 8.1.3, who can’t update to Adobe Reader 9.1, should update to Adobe Reader 8.1.4 or Adobe Reader 7.1.1, available from one of the following links:
http://www.adobe.com/support/downloads/product.jsp?product=10&platform=Windows
http://www.adobe.com/support/downloads/product.jsp?product=10&platform=Macintosh
http://www.adobe.com/support/downloads/product.jsp?product=10&platform=Unix

Acrobat 9

Adobe recommends Acrobat 9 Standard and Acrobat 9 Pro users on Windows update to Acrobat 9.1, available at the following URLs:
http://www.adobe.com/support/downloads/detail.jsp?ftpID=4375
http://www.adobe.com/support/downloads/detail.jsp?ftpID=4382

Adobe recommends Acrobat 9 Pro Extended users on Windows update to Acrobat 9.1, available here:
http://www.adobe.com/support/downloads/detail.jsp?ftpID=4381

Adobe recommends Acrobat 9 Pro users on Macintosh update to Acrobat 9.1, available here:
http://www.adobe.com/support/downloads/detail.jsp?ftpID=4374

Acrobat 8

Adobe recommends Acrobat 8 users on Windows update to Acrobat 8.1.4, available here:
http://www.adobe.com/support/downloads/product.jsp?product=1&platform=Windows

Adobe recommends Acrobat 8 users on Macintosh update to Acrobat 8.1.4, available here:
http://www.adobe.com/support/downloads/product.jsp?product=1&platform=Macintosh

Adobe recommends Acrobat 3D Version 8 users on Windows update to Acrobat 3D Version 8.1.4, available here:
http://www.adobe.com/support/downloads/product.jsp?product=112&platform=Windows

Acrobat 7

Adobe recommends Acrobat 7 users on Windows update to Acrobat 7.1.1, available here:
http://www.adobe.com/support/downloads/product.jsp?product=1&platform=Windows

Adobe recommends Acrobat 7 users on Macintosh update to Acrobat 7.1.1, available here:
http://www.adobe.com/support/downloads/product.jsp?product=1&platform=Macintosh

Adobe recommends Acrobat 3D Version 7 users on Windows update to Acrobat 3D Version 7.1.1, available here:
http://www.adobe.com/support/downloads/product.jsp?product=112&platform=Windows

Severity rating

Adobe categorizes this as a critical update and recommends that users apply the update for their product installations.

Details

Critical vulnerabilities have been identified in Adobe Reader and Acrobat 9 and earlier versions. These vulnerabilities would cause the application to crash and could potentially allow an attacker to take control of the affected system.

Adobe recommends users of Acrobat and Adobe Reader update their product installations to versions 9.1, 8.1.4, or 7.1.1 using the instructions above to protect themselves from potential vulnerabilities.

These updates resolve the JBIG2 filter buffer overflow issue from Security Advisory APSA09-01 and Security Bulletin APSB09-03 (CVE-2009-0658)
Note: there are reports that this issue is being exploited

These updates resolve additional JBIG2 input validation issues that could potentially lead to remote code execution. (CVE-2009-0193, CVE-2009-0928, CVE-2009-1061, CVE-2009-1062)

The Adobe Reader and Acrobat 9.1 and 7.1.1 updates resolve an input validation issue in a JavaScript method that could potentially lead to remote code execution. This issue has already been resolved in Adobe Reader 8.1.3 and Acrobat 8.1.3. (CVE-2009-0927)
Note: there are reports that this issue is being exploited

The Adobe Reader 7.1.1 and Acrobat 7.1.1 updates resolve issues previously addressed in Adobe Reader and Acrobat 8.1.3 and later, and Adobe Reader and Acrobat 9 and later. (CVE-2008-4814, CVE-2008-4813, CVE-2008-2549)

Users may also monitor the latest information on the Adobe Product Security Incident Response Team blog at the following URL: http://blogs.adobe.com/psirt or by subscribing to the RSS feed here: http://blogs.adobe.com/psirt/atom.xml.

Acknowledgments

Adobe would like to thank the following individuals and organizations for reporting the relevant issues and for working with Adobe to help protect our customers' security:

  • Tenable Network Security reported through TippingPoint's Zero Day Initiative ( CVE-2009-0927)
  • Sean Larsson of iDefense Labs (CVE-2009-0928), Jonathan Brossard from iViZ Security Research Team (CVE-2009-1061), Will Dormann of CERT/CC (CVE-2009-1062), Alin Rad Pop of Secunia Research (CVE-2009-0193)
  • Thomas Garnier of SkyRecon Systems (CVE-2008-4814)
  •  Peter Vreudegnhil reported through TippingPoint's Zero Day Initiative (CVE-2008-4813)

Revisions

April 9, 2009 – Bulletin updated with information on reports that CVE-2009-0927 is being exploited
March 24, 2009 – Bulletin updated with information on Adobe Reader 9.1 and Adobe Reader 8.1.4 for Unix updates and additional JBIG2 issues
March 18, 2009 – Bulletin first created