Critical Vulnerabilities in Adobe Reader and Acrobat

Adobe has released Security advisory APSB09-15, which describes numerous vulnerabilities affecting Adobe Reader and Acrobat.

An attacker could exploit this vulnerability by convincing a user to open a specially crafted PDF file. The Adobe Reader browser plug-in is available for multiple web browsers and operating systems, which can automatically open PDF documents hosted on a Web site.

These vulnerabilities may allow a remote attacker to execute arbitrary code, write arbitrary files or folders to the file system, escalate local privileges, or cause a denial of service on an affected system as the result of a user opening a malicious PDF document.

This vulnerability is being actively exploited.

For a complete description of the vulnerabilities and affected software, refer to  Adobe Security Bulletins: APSB09-15.

AFFECTED SYSTEMS:

•  Adobe Reader and Acrobat 9.1.3 and earlier 9.x versions
•  Adobe Reader and Acrobat 8.1.6 and earlier 8.x versions
•  Adobe Reader and Acrobat 7.1.3 and earlier 7.x versions

WHAT YOU NEED TO DO TO PROTECT YOUR SYSTEM:

1. Do NOT take action if you have a Computer Support Coordinator (CSC); they will apply the update for you or assist in instructing you.

2. If you do not have a CSC:

•  Update your software

Refer to Adobe Security Bulletins: APSB09-15 on how to obtain the latest updates for your specific software.

•  US-CERT and Adobe recommend the following to help mitigate this vulnerability:

­ Disable JavaScript in Adobe Reader and Acrobat*

­ Prevent Internet Explorer from automatically opening PDF documents*

­ Disable the display of PDF documents in the web browser*

­ Do not access PDF documents from untrusted sources

*Refer to US-CERT Cyber Security Alert TA09-286B for instructions.

ADDITIONAL INFORMATION:

•  US-CERT Cyber Security Alert TA09-286B (Technical Alert)

• Enterprise Information Security

If you have questions about any of the information provided above, you may send email inquiries to security@ucsf.edu.

Teresa A. Regalia, GCIH
UCSF Enterprise Information Security
Telephone: 415-502-1567
Teresa.Regalia@ucsf.edu

OAAIS Customer Support Service Desk
7 a.m. - 6 p.m., Mon – Fri
(415) 514-4100, Option 2
customersupport@ucsf.edu
help.ucsf.edu

Please tell us what you think of our website

The University of California, San Francisco, CA 94143, 415/476-9000
Copyright © 2010, The Regents of the University of California.