Security, Software

Serious Unpatched Security Vulnerability in Adobe Reader and Acrobat

UPDATE #2: Adobe has now released patches for versions 7, 8 and 9 of Acrobat and Reader for both Windows and Mac platforms. Please refer to the links below.

Click here for Windows
Click here for Mac

UPDATE #1: Adobe has released version 9.1 for Windows and Mac platforms. A patch for older versions is expected on or around March 25th. If you’re running version 9, you can open your existing Adobe application and then click on ‘Check for Updates’ in the Help menu. You can also get the update directly from their website (you must already be at version 9).

You can also download and install the latest version of Adobe right from their home page.

~~~~~~~~~~~~~~~~~~~~~~~~

A significant security weakness was recently discovered in the widely used Adobe Reader and Acrobat applications. This weakness affects all versions from 9 and below. The immediate concern is that Adobe has no available fix (targeted for March 11th) yet malicious individuals are already exploiting the weakness and infecting systems.

Simply opening an infected PDF document can infect your system. Once infected, an attacker can silently access/control your computer and steal information, etc.

The aforementioned Adobe products on all platforms (Windows, Mac and Linux) are vulnerable.

What can you do to reduce the chances of getting infected by a rogue Adobe document?

1) You can disable the use of JavaScript in Adobe Reader and Acrobat (this is not 100% effective but will provide increased protection).

For Windows: Open Adobe Acrobat Reader, click on Edit and then Preferences.
Click on JavaScript in the left-most column and then uncheck the box next to “Enable Acrobat JavaScript”. Click OK.

For Macs: Open Adobe Acrobat Reader then click Adobe Reader (on the Menulet) and then Preferences. Click on JavaScript in the left-most column and then uncheck the box next to “Enable Acrobat JavaScript”. Click OK.

2) Do not access PDF documents from “untrusted” or suspicious sources particularly web sites and unsolicited email attachments. (This actually applies to any type of file)

This posting will be updated once a fix from Adobe is available and/or if there are any significant changes in this situation.

BTW, Adobe just released patches for its popular Flash Player so you should update this application ASAP if you actively use it.