• Home
  • Et Cetera

Infosecurity.US

Adobe Security Update – Reader and Acrobat Exploits Mitigated

By Marc Handelman on November 5th, 2008

Adobe Systems, Inc. (NasdaqGS: ADBE) has announced the release of update patches, mitigating specific security vulnerabilities in the software company’s Acrobat and Reader PDF editing and viewing products.

The specific vulnerabilities are enumerated as MITRE CVE Numbers: CVE-2008-2992, CVE-2008-2549, CVE-2008-4812, CVE-2008-4813, CVE-2008-4817, CVE-2008-4816, CVE-2008-4814, CVE-2008-4815.

The full announcement appears after the jump.

Security Update available for Adobe Reader 8 and Acrobat 8

Release date: November 4, 2008

Vulnerability identifier: APSB08-19

CVE number: CVE-2008-2992, CVE-2008-2549, CVE-2008-4812, CVE-2008-4813, CVE-2008-4817, CVE-2008-4816, CVE-2008-4814, CVE-2008-4815

Platform: All Platforms

Summary

Critical vulnerabilities have been identified in Adobe Reader and Acrobat 8.1.2 and earlier versions. These vulnerabilities would cause the application to crash and could potentially allow an attacker to take control of the affected system.

Adobe Reader 9 and Acrobat 9 are not vulnerable to these issues. Adobe recommends users of Acrobat 8 and Adobe Reader 8 who can’t update to Adobe Reader 9 install the 8.1.3 update to protect themselves from potential vulnerabilities.

Affected software versions

Adobe Reader 8.1.2 and earlier versions
Adobe Acrobat Professional, 3D and Standard 8.1.2 and earlier versions

Solution

Adobe Reader

Adobe recommends Adobe Reader users update to Adobe Reader 9, available here:
http://www.adobe.com/go/getreader

Users with Adobe Reader 8.0 through 8.1.2, who can’t update to Adobe Reader 9, should update to Adobe Reader 8.1.3:
http://www.adobe.com/go/getreader

Acrobat 8

Adobe recommends Acrobat 8 users on Windows update to Acrobat 8.1.3, available here:
http://www.adobe.com/support/downloads/product.jsp?product=1&platform=Windows

Adobe recommends Acrobat 8 users on Macintosh update to Acrobat 8.1.3, available here:
http://www.adobe.com/support/downloads/product.jsp?product=1&platform=Macintosh

Adobe recommends Acrobat 3D Version 8 users on Windows update to Acrobat 3D Version 8.1.3, available here:
http://www.adobe.com/support/downloads/product.jsp?product=112&platform=Windows

Severity rating

Adobe categorizes this as a critical issue and recommends that users apply the update for their product installations.

Details

Critical vulnerabilities have been identified in Adobe Reader and Acrobat 8.1.2 and earlier versions. These vulnerabilities would cause the application to crash and could potentially allow an attacker to take control of the affected system.

Adobe recommends users of Acrobat and Adobe Reader update their product installations using the instructions above to protect themselves from potential vulnerabilities.

This update resolves multiple input validation errors that could potentially lead to code execution. (CVE-2008-4812)

This update resolves multiple input validation issues that could potentially lead to remote code execution. (CVE-2008-4813)

This update resolves an input validation issue in a JavaScript method that could potentially lead to remote code execution. (CVE-2008-2992)

An input validation issue in the Download Manager used by Adobe Reader that could potentially lead to remote code execution during the download process has been resolved. (CVE-2008-4817)

A Windows-only issue in the Download Manager used by Adobe Reader that could lead to a user’s Internet Security options being changed during the download process has been resolved. (CVE-2008-4816)

This update resolves an input validation issue in a JavaScript method that could potentially lead to remote code execution. (CVE-2008-4814)

This update resolves a potential Unix-only privilege escalation issue (CVE-2008-4815)

This update resolves a publicly-published denial of service issue. (CVE-2008-2549)

Acknowledgments

Adobe would like to thank the following individuals and organizations for reporting the relevant issues and for working with Adobe to help protect our customers’ security:

  • Greg MacManus of iDefense Labs (CVE-2008-4812)
  • Peter Vreugdenhil reported through TippingPoint’s Zero Day Initiative, Dyon Balding of Secunia Research, Will Dormann of CERT/CC, Damian Frizza of Core Security Technologies, and Greg MacManus of iSIGHT Partners Labs (CVE-2008-2992)
  • Peter Vreugdenhil reported through iDefense (CVE-2008-4817)
  • An anonymous contributor reported through iDefense (CVE-2008-4812)
  • Javier Vicente Vallejo reported through TippingPoint’s Zero Day Initiative (CVE-2008-4813)
  • Peter Vregdenhil reported through TippingPoint’s Zero Day Initiative (CVE-2008-4813)
  • Thomas Garnier of SkyRecon Systems (CVE-2008-4814)
  • Josh Bressers of Red Hat (CVE-2008-4815)

Categories: Infosecurity
Tags: Adobe Systems, Software Patches

Related Headlines

    Related posts:

    1. Adobe Security Updates For Compromised Acrobat and Reader Released
    2. Adobe Remediates Acrobat and Reader Vulnerabilities
    3. Adobe Releases New Flash, Reader and Acrobat Critical Security Updates, Alert The Media
    4. Tectonic Flaws In Adobe Reader, Acrobat
    5. Adobe Releases Critical Reader, Acrobat Update

2 Responses to “Adobe Security Update – Reader and Acrobat Exploits Mitigated”

  1. Nick Hansen
    Nov 5th, 2008 at 18:18

    Adobe Reader update 8.1.3 released. Bunch of Critical CVEs addressed: http://infosecurity.us/?p=3056

  2. Recently Mitigated Abdobe Vulnerability Actively Exploited In The Wild
    Nov 11th, 2008 at 00:10

    [...] exploits have been mounted targeting the recently reported vulnerability in Adobe Systems INC (NasdaqGS: ADBE) Reader 8 to attack Microsoft Corporation (NasdaqGS: MSFT) [...]

« ENISA Releases Position Paper: Security and Privacy in Virtual Worlds and Gaming Heroes: MA2 Michael Monsoor USN »
  • Latest
  • Random
  • Bookmarks
  • Archives
  • Steve Benson: Persian Lights…
  • New, Pernicious BotNet Emerges
  • VMWare Announces ESX Console Security Update
  • Nick Anderson: Egg
  • Doppelgänger Infinitus
  • Robert Ariall: Iran For Cover
  • Data Leakage Wednesdays: Old Printer Vector
  • XKCD: Exoplanets
  • Apple Releases Magic Footpad, Raises Ante On Bipedal Computer Controls
  • Science Tuesday: Asteroidal Discoveries Mapped, 01980 – 02010
  • Core TCP Flaw Discovered – Sockstress
  • USCERT Issues Cyber Security Alert: Windows AutoRun Risk
  • SQL Injection Tool For LAMP Released
  • ISOC: Core Security Technologies CTO Headlines 2009 Symposium
  • CNET: Google Only Large Site To Modify SSL Defaults
  • XKCD: Scientific Montage
  • Oracle Security: Oracle WebLogic Server Vulnerability Patched
  • XKCD: Space Elevators
  • XKCD: Snow Tracking
  • BP Does Not Want You To See This Film…
  • Apple
  • BSD
  • Closson
  • Darknet
  • Debian
  • Finnigan
  • ha.ckers
  • Hoff
  • Insecure
  • Krebs
  • Layer8
  • MSRC
  • Network Security Blog
  • NSA SEL
  • openSUSE
  • RedHat
  • SANS
  • Schneier
  • Security Eunoia
  • Securosis
  • Shimel
  • September 2010
  • August 2010
  • July 2010
  • June 2010
  • May 2010
  • April 2010
  • March 2010
  • February 2010
  • January 2010
  • December 2009
Subscribe

Featured Blog - Blogs.com SANS Security Reading Room KnotOriginal: fine art to hang on your body and walls Member - Security Bloggers Network

Dilbert

KnotOriginal

Featured Video

QOTD

RSS Security Bloggers Network

  • Two Wheel EV Recumbant: Zerotracer 2010/09/02 Davi Ottenheimer
  • Ben Franklin’s Endpoint Security Advice 2010/09/02 Jeff Hughes
  • Configuring Conditional SSH Connections 2010/09/02 Xavier
  • Truecrypt and USB drives 2010/09/02 always peace
  • LogChat Podcast 1: Anton Chuvakin and Andrew Hay Talk Logs 2010/09/02 Andrew Hay
  • Safe Web Surfing Rule # 1: READ the URL 2010/09/02 Tom Kelchner
  • Heartland Set To Pay Discover $5M For 2008 Data Breach 2010/09/02 spinman
  • User’s Opinions on Malware Infections 2010/09/02 spinman
  • Acunetix Web Vulnerability Scanner 7 Released 2010/09/02 spinman
  • LogChat Podcast 1: Anton Chuvakin and Andrew Hay Talk Logs 2010/09/02 Anton Chuvakin

RSS Cryptography

  • Monitor: Schrodinger's cat and mouse 2010/09/02
  • How to configure a Junos security device 2010/09/02
  • Net Effect: Hay-what? 2010/09/02
  • The Art of Proof 2010/09/02
  • Quantum crypto cracked, researchers say 2010/09/01

RSS SANS ISC

  • Microsoft EMETv2 released, (Thu, Sep 2nd) 2010/09/02
  • SDF, please!, (Thu, Sep 2nd) 2010/09/02
  • Month of Undisclosed 0-day Bugs, (Wed, Sep 1st) 2010/09/01
  • Microsoft issues updates to sysinternals ProcDump and Process Monitor: http://blogs.technet.com/b/sysinternals/archive/2010/08/30/updates-procdump-process-monitor-and-a-new-mark-s-blog-post.aspx, (Wed, Sep 1st) 2010/09/01
  • VMWARE releases 2 security advisories for ESX Service Console: http://lists.vmware.com/pipermail/security-announce/2010/000103.html and http://lists.vmware.com/pipermail/security-announce/2010/000104.html, (Wed, Sep 1st) 2010/09/01

RSS Oracle

  • Going to Oracle OpenWorld 2010? 2010/09/02
  • Automatic Time Zone support in Application Express 4.0 2010/09/02
  • EBS, Collaborate, Security, BPEL, OWB, Blog of Note, Hyperion, EPM, Burnout, WiFi 2010/09/02
  • Details of Tuxedo sessions at OOW 2010/09/02
  • JavaOne Preview on TechCast Live! (Tues., Sept. 7, 10am PT) 2010/09/02
  • links for 2010-09-02 2010/09/02
  • Join us for a Bersin & Associates Webcast - "Evolution of ERPs: Driving Business Value through Integrated Talent Management" 2010/09/02

RSS MySQL

  • Join MySQL at OSCON 2010/07/02
  • TechCast Live: Jono Bacon and Luke Kowalski on MySQL Community 2010/05/21
  • What's New in the MySQL Enterprise Spring 2010 Release? - Interview with Mark Matthews and Andy Bang 2010/05/17
  • Introduction to MySQL 5.5 2010/04/13
  • Why Should I Check Out a MySQL-Based Column Database ? 2010/02/12
  • A deep look at MySQL 5.5 partitioning enhancements 2009/12/24
  • Sun "Tech Days" Conference World Tour Kicks Off in Brazil 2009/12/07

RSS Linux

  • A Guide to Today's Top 10 Linux Distributions - NetworkWorld.com 2010/09/02
  • Embedded Linux Conference videos available - LWN.net 2010/09/02
  • Net Applications' iOS vs Linux Report Confuses Me - Muktware (blog) 2010/09/02
  • Cloudlinux Named Editor's Choice By Web Host Magazine & Buyer's Guide - PR Urgent 2010/09/02
  • Samsung's 3D TV remote let's you take the screen with you - Geek.com 2010/09/02

RSS MAC OSX

  • Samsung Reveals Half-Pint iPad, The Galaxy Tab 2010/09/02 Eli Milchman
  • Daily Deals: New nano, touch and Apple TV 2010/09/02 Ed Sutherland
  • iPhone 4 Coffee Table Gets You Better Reception Than iPod Table? 2010/09/02 Nicole Martinelli
  • Walkman Outsells iPods in Japan, Can Wristwatch Nano Change That? 2010/09/02 Nicole Martinelli
  • Amazon: Buy – Don’t Rent – 99-Cent Fox, ABC TV Episodes 2010/09/02 Ed Sutherland
  • Analyst: New Apple TV Rival for Cable’s Video-on-Demand 2010/09/02 Ed Sutherland
  • iTunes Ping And Facebook: What’s Going On? 2010/09/02 Giles Turnbull

RSS Microsoft

  • Update on Security Advisory 2269637 2010/08/31 MSRCTEAM
  • Microsoft Security Advisory 2269637 Released 2010/08/22 MSRCTEAM
  • August 2010 Webcast and QA 2010/08/12 MSRCTEAM
  • Update on the publicly disclosed Win32k.sys EoP Vulnerability 2010/08/10 MSRCTEAM
  • August 2010 Security Bulletin Release 2010/08/10 MSRCTEAM
  • August 2010 Bulletin Release Advance Notification 2010/08/05 MSRCTEAM
  • August 2010 Out-of-Band Security Release Webcast Q&A 2010/08/03 MSRCTEAM

RSS Network

  • How to get started with a blade system 2010/09/02
  • Opsview Community Edition review 2010/09/02
  • Cacti review 2010/09/02
  • Brocade adds 100G Ethernet to switch and router line 2010/09/02
  • Is Cisco making a play for Skype? 2010/08/31
  • Skype launches Skype Connect enterprise voice calling 2010/08/31
  • Sonos ZonePlayer S5 review 2010/08/25

Daily Posts

September 2010
S M T W T F S
« Aug    
 1234
567891011
12131415161718
19202122232425
2627282930  
Creative Commons License
The Infosecurity.US Blog is licensed under a Creative Commons Attribution-Share Alike 3.0 United States License.

Find the best blogs at Blogs.com.

Creative Commons Attribution-Share Alike 3.0 U.S. License ©2010 Infosecurity.US

Subscribe