Adobe Patches Two Reader and Acrobat Critical Vulnerabilities

Adobe has released security updates for all versions of its Reader and Acrobat products, running on all supported operating systems, an exception being the 7.1.1 version on Mac OS X, which remains vulnerable. The patches address two serious remote code execution bugs, which have been known since the end of April.

On April 29, we reported that a hacker going by the online handle of Arr1val had published proof-of-concept exploits for two remote code execution vulnerabilities in the Adobe Reader and Acrobat. Upon investigating the incidents, Adobe's security team concluded that one bug affected all versions of the products to date for all operating systems, while one was limited to the Linux versions.

"A critical vulnerability has been identified in Adobe Reader 9.1 and Acrobat 9.1 and earlier versions. This vulnerability (CVE-2009-1492) would cause the application to crash and could potentially allow an attacker to take control of the affected system. A second vulnerability has also been reported that appears to affect Adobe Reader for UNIX only (CVE-2009-1493). These issues are remotely exploitable," the Adobe advisory reads.

Both vulnerabilities could have been exploited by creating malformed PDF files, with a malicious JavaScript-based payload. Therefore, entirely disabling JavasScript in the affected products was accepted as a temporary solution, even though it was not applicable to some environments, where the functionality was required.

In a time when malicious PDF files are particularly prevalent, security professionals are questioning Adobe's patch-deployment schedule. These vulnerabilities were patched in two weeks' time after their discovery, but, even if they weren't actively exploited in the wild, that is still a long time by some people's standards.

And this was a fortunate case, as a similar critical vulnerability disclosed in February as a 0-day and, subsequently, employed by cyber-crooks in their attacks went unfixed for more than three weeks. Additionally, that vulnerability was exploitable even with JavaScript disabled, leaving caution and a good anti-virus program as the only alternatives for protection.

The latest available updates for Adobe Reader and Acrobat are 9.1.1, 8.1.5 and 7.1.2, respectively. Users are encouraged to upgrade to these versions immediately, by following the download links for their respective operating system available in the Adobe Security Advisory APSA09-02.