Windows Vista and Windows 7 who have DEP enabled (that’s Data Execution Prevention) are protected from the exploit. Users who work with different operating systems are encouraged to disable JavaScript to protect against the specific known exploit. Adobe mentions that it is on the other hand possible to create an exploit that does not rely on JavaScript.

Adobe plans to resolve this issue as part of the upcoming Adobe Reader and Acrobat quarterly security update, scheduled for release on October 13. Adobe Reader and Acrobat 9.1.3 customers with DEP enabled on Windows Vista will be protected from this exploit. Disabling JavaScript also mitigates against this specific exploit, although a variant that does not rely on JavaScript could be possible. In the meantime, Adobe is also in contact with Antivirus and Security vendors regarding the issue and recommends users keep their anti-virus definitions up to date.

Probably the best protection at this point is to uninstall Adobe Reader and Adobe Acrobat and install a third party pdf viewer like Foxit Reader, muPDF or STDU Viewer. Additional information are available at the Adobe website.

Related posts

• Unofficial Adobe Reader Patch Released (4)
• Adobe Reader and Acrobat Security Updates (3)
• Critical Adobe Reader Update (4)
• Adobe Reader, Acrobat and Flash Player Zero Day Vulnerability (3)
• Adobe Reader Speedup (14)

Apple Mac and Unix systems are affected by the vulnerability as well but the exploit that is currently in the wild is only affecting Windows. Adobe suggests to enable UAC in Windows Vista (and Windows 7). Windows XP users should consider moving or deleting authplay.dll to protect their computer system from the threat against Adobe Reader and Acrobat “but users will experience a non-exploitable crash or error message when opening a PDF that contains SWF content”.

An alternative would be to uninstall Adobe Reader or Acrobat and install one of the available third party pdf readers like Foxit Reader or Sumatra.

Adobe does not offer any advise on the Flash Player vulnerability. The only viable option seems to be to disable or even uninstall Flash and wait for the patch which is expected to be released on July 30 and July 31.

Related posts

• Adobe Reader and Acrobat Security Updates (3)
• Unofficial Adobe Reader Patch Released (4)
• Critical Adobe Reader Update (4)
• Adobe Reader Security Vulnerabilities (4)
• Adobe Reader and Acrobat Critical Security Update (1)

The security updates are provided for Adobe Reader and Adobe Acrobat software products running on both Microsoft Windows and Apple Macintosh operating systems. The security bulletin that was issued yesterday contains links that point to downloads for all affected programs and operating systems.

The affected programs are:

• Adobe Reader 9.1.1 and earlier versions
• Adobe Acrobat Standard, Pro, and Pro Extended 9.1.1 and earlier versions

Adobe recommends users of Adobe Reader and Acrobat update their product installations to versions 9.1.2, 8.1.6, or 7.1.3 using the instructions above to protect themselves from potential vulnerabilities. The above updates apply to Windows and Macintosh. Security updates for Adobe Reader on the UNIX platform will be available on June 16, 2009; this Bulletin will be updated to reflect their availability on that date.

Security conscious users might want to consider switching from Adobe Reader to a third party application like Foxit Reader, Sumatra PDF or PDF-Xchange Viewer.

Related posts

• Adobe Reader, Acrobat and Flash Player Zero Day Vulnerability (3)
• Adobe Reader Security Vulnerabilities (4)
• Adobe Reader and Acrobat Critical Security Update (1)
• Unofficial Adobe Reader Patch Released (4)
• Critical Adobe Reader Update (4)

Lurene Grenier, a security researcher at Sourcefire, has published an unofficial patch for Adobe Reader 9 that is installed on a computer running the Microsoft Windows operating system. The patch comes with no guarantees and involves the replacement of a dll file in the Adobe Reader directory. Users should make sure to backup the dll before replacing it to be prepared for eventualities. Windows users with previous Adobe Reader versions will have to upgrade to Adobe Reader 9 before they can apply the patch.

There is another recommendation (by US-CERT)which is helpful for users of other operating systems or Windows users who do not like the idea of replacing a dll on the computer system:

• Disabling Javascript in Adobe Reader by going to Edit > Preferences > JavaScript and unchecking enable Acrobat JavaScript.
• Preventing IE from automatically displaying PDFs. This can be done via a Registry tweak described on the US-CERT notification.
• Disable rendering of PDFs within web pages. This can be done from the Edit-Preferences menu in Adobe Reader.

It is recommended to act swiftly to prevent that the vulnerability can get exploited on the computer system. Users of third party PDF software programs are not affected by the vulnerability.

Related posts

• Adobe Reader Security Vulnerabilities (4)
• Critical Adobe Reader Update (4)
• Adobe Reader, Acrobat and Flash Player Zero Day Vulnerability (3)
• Adobe Reader Speedup (14)
• Adobe Reader and Acrobat Security Updates (3)

Adobe just mentioned that “the Adobe Reader 8.1.2 update addresses a number of customer workflow issues and security vulnerabilities while providing more stability.” Either they have forgotten to include the information in the release notes or they did not want to publish them officially.

It does not really matter for us end users anyway. If you use Adobe Reader head out now and download the latest version of Adobe Reader to be on the safe side.

Related posts

• Unofficial Adobe Reader Patch Released (4)
• Adobe Reader, Acrobat and Flash Player Zero Day Vulnerability (3)
• Adobe Reader Security Vulnerabilities (4)
• Adobe Reader and Acrobat Security Updates (3)
• Of Cracks, Hacks And Jailbreaks (2)