http://www.adobe.com/support/securit...apsa09-01.html

Buffer overflow issue in versions 9.0 and earlier of Adobe Reader and
Acrobat

Release date: February 19, 2009

Vulnerability identifier: APSA09-01

CVE number: CVE-2009-0658

Platform: All platforms
Summary

A critical vulnerability has been identified in Adobe Reader 9 and Acrobat 9
and earlier versions. This vulnerability would cause the application to
crash and could potentially allow an attacker to take control of the
affected system. There are reports that this issue is being exploited.

Adobe is planning to release updates to Adobe Reader and Acrobat to resolve
the relevant security issue. Adobe expects to make available an update for
Adobe Reader 9 and Acrobat 9 by March 11th, 2009. Updates for Adobe Reader 8
and Acrobat 8 will follow soon after, with Adobe Reader 7 and Acrobat 7
updates to follow. In the meantime, Adobe is in contact with anti-virus
vendors, including McAfee and Symantec, on this issue in order to ensure the
security of our mutual customers. A security bulletin will be published on
http://www.adobe.com/support/security as soon as product updates are
available.

--
Do You Feel Like a Hostage To Your Computer?
Then You Need
R&D Internet Associates
24 Coriander Drive
Princeton NJ 08540
732-355-0156
http://rdinternetassociates.com

robinb wrote:
> http://www.adobe.com/support/securit...apsa09-01.html
<snip>
This is basically a short-term fix, which basically tells users of affected software to
disable JavaScript in Preferences.
OK, done, until Adobe release a "real" patch.
Beware of third-party fixes as outlined here >
<http://www.theregister.co.uk/2009/02/24/unofficial_adobe_patch/>

More info here which goes to the URL Robin posted >
<http://www.shadowserver.org/wiki/pmwiki.php?n=Calendar.20090221>

--
Randy
<http://msmvps.com/blogs/siljaline/default.aspx>

Hi Robin,

I use this for a while now!

http://www.foxitsoftware.com/downloads/
Faster, plugin for firefox also and PDF creator also!

Regards >*<TOM >*<

robinb schreef:
> http://www.adobe.com/support/securit...apsa09-01.html
>
> Buffer overflow issue in versions 9.0 and earlier of Adobe Reader and
> Acrobat
>
> Release date: February 19, 2009
>
> Vulnerability identifier: APSA09-01
>
> CVE number: CVE-2009-0658
>
> Platform: All platforms
> Summary
>
> A critical vulnerability has been identified in Adobe Reader 9 and
> Acrobat 9 and earlier versions. This vulnerability would cause the
> application to crash and could potentially allow an attacker to take
> control of the affected system. There are reports that this issue is
> being exploited.
>
> Adobe is planning to release updates to Adobe Reader and Acrobat to
> resolve the relevant security issue. Adobe expects to make available an
> update for Adobe Reader 9 and Acrobat 9 by March 11th, 2009. Updates for
> Adobe Reader 8 and Acrobat 8 will follow soon after, with Adobe Reader 7
> and Acrobat 7 updates to follow. In the meantime, Adobe is in contact
> with anti-virus vendors, including McAfee and Symantec, on this issue in
> order to ensure the security of our mutual customers. A security
> bulletin will be published on http://www.adobe.com/support/security as
> soon as product updates are available.
>

Hi Tom. I use Foxit too - but presumably it too is vulnerable to this
exploit?
Alan D


"Tom Emmelot" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> Hi Robin,
>
> I use this for a while now!
>
> http://www.foxitsoftware.com/downloads/
> Faster, plugin for firefox also and PDF creator also!
>
> Regards >*<TOM >*<
>
> robinb schreef:
>> http://www.adobe.com/support/securit...apsa09-01.html
>>
>> Buffer overflow issue in versions 9.0 and earlier of Adobe Reader and
>> Acrobat
>>
>> Release date: February 19, 2009
>>
>> Vulnerability identifier: APSA09-01
>>
>> CVE number: CVE-2009-0658
>>
>> Platform: All platforms
>> Summary
>>
>> A critical vulnerability has been identified in Adobe Reader 9 and
>> Acrobat 9 and earlier versions. This vulnerability would cause the
>> application to crash and could potentially allow an attacker to take
>> control of the affected system. There are reports that this issue is
>> being exploited.
>>
>> Adobe is planning to release updates to Adobe Reader and Acrobat to
>> resolve the relevant security issue. Adobe expects to make available an
>> update for Adobe Reader 9 and Acrobat 9 by March 11th, 2009. Updates for
>> Adobe Reader 8 and Acrobat 8 will follow soon after, with Adobe Reader 7
>> and Acrobat 7 updates to follow. In the meantime, Adobe is in contact
>> with anti-virus vendors, including McAfee and Symantec, on this issue in
>> order to ensure the security of our mutual customers. A security bulletin
>> will be published on http://www.adobe.com/support/security as soon as
>> product updates are available.
>>

I did the fix until the patch comes out. Adobe asks you to do it
the fix is
Open Adobe Reader

Click: Edit -> Preferences -> JavaScript and uncheck Enable Acrobat
JavaScript- then click OK
they say the reader will still crash if it is hit by the exploit but it will
not spread the exploit
robin

"robinb" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> http://www.adobe.com/support/securit...apsa09-01.html
>
> Buffer overflow issue in versions 9.0 and earlier of Adobe Reader and
> Acrobat
>
> Release date: February 19, 2009
>
> Vulnerability identifier: APSA09-01
>
> CVE number: CVE-2009-0658
>
> Platform: All platforms
> Summary
>
> A critical vulnerability has been identified in Adobe Reader 9 and Acrobat
> 9 and earlier versions. This vulnerability would cause the application to
> crash and could potentially allow an attacker to take control of the
> affected system. There are reports that this issue is being exploited.
>
> Adobe is planning to release updates to Adobe Reader and Acrobat to
> resolve the relevant security issue. Adobe expects to make available an
> update for Adobe Reader 9 and Acrobat 9 by March 11th, 2009. Updates for
> Adobe Reader 8 and Acrobat 8 will follow soon after, with Adobe Reader 7
> and Acrobat 7 updates to follow. In the meantime, Adobe is in contact with
> anti-virus vendors, including McAfee and Symantec, on this issue in order
> to ensure the security of our mutual customers. A security bulletin will
> be published on http://www.adobe.com/support/security as soon as product
> updates are available.
>
> --
> Do You Feel Like a Hostage To Your Computer?
> Then You Need
> R&D Internet Associates
> 24 Coriander Drive
> Princeton NJ 08540
> 732-355-0156
> http://rdinternetassociates.com

I recommend this action if you are worried about this issue. It is easily
reversible and effective--and the chance are you've never seen a PDF that
needed javascript.

So far, this is a limited scale targeted attack--so I'm sitting tight as far
as machines that I administer.

"robinb" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> I did the fix until the patch comes out. Adobe asks you to do it
> the fix is
> Open Adobe Reader
>
> Click: Edit -> Preferences -> JavaScript and uncheck Enable Acrobat
> JavaScript- then click OK
> they say the reader will still crash if it is hit by the exploit but it
> will not spread the exploit
> robin
>
> "robinb" <(E-Mail Removed)> wrote in message
> news:(E-Mail Removed)...
>> http://www.adobe.com/support/securit...apsa09-01.html
>>
>> Buffer overflow issue in versions 9.0 and earlier of Adobe Reader and
>> Acrobat
>>
>> Release date: February 19, 2009
>>
>> Vulnerability identifier: APSA09-01
>>
>> CVE number: CVE-2009-0658
>>
>> Platform: All platforms
>> Summary
>>
>> A critical vulnerability has been identified in Adobe Reader 9 and
>> Acrobat 9 and earlier versions. This vulnerability would cause the
>> application to crash and could potentially allow an attacker to take
>> control of the affected system. There are reports that this issue is
>> being exploited.
>>
>> Adobe is planning to release updates to Adobe Reader and Acrobat to
>> resolve the relevant security issue. Adobe expects to make available an
>> update for Adobe Reader 9 and Acrobat 9 by March 11th, 2009. Updates for
>> Adobe Reader 8 and Acrobat 8 will follow soon after, with Adobe Reader 7
>> and Acrobat 7 updates to follow. In the meantime, Adobe is in contact
>> with anti-virus vendors, including McAfee and Symantec, on this issue in
>> order to ensure the security of our mutual customers. A security bulletin
>> will be published on http://www.adobe.com/support/security as soon as
>> product updates are available.
>>
>> --
>> Do You Feel Like a Hostage To Your Computer?
>> Then You Need
>> R&D Internet Associates
>> 24 Coriander Drive
>> Princeton NJ 08540
>> 732-355-0156
>> http://rdinternetassociates.com
>


--

Breaking news:

It now appears that javascript is unnecessary to exploit the vulnerability,
according to Secunia.

Best to watch for the patch from Adobe. And, get the older versions updated
to 9.x. They are all vulnerable, but 9.x will be patched first.

"Bill Sanderson" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
>
> I recommend this action if you are worried about this issue. It is easily
> reversible and effective--and the chance are you've never seen a PDF that
> needed javascript.
>
> So far, this is a limited scale targeted attack--so I'm sitting tight as
> far as machines that I administer.
>
> "robinb" <(E-Mail Removed)> wrote in message
> news:(E-Mail Removed)...
>> I did the fix until the patch comes out. Adobe asks you to do it
>> the fix is
>> Open Adobe Reader
>>
>> Click: Edit -> Preferences -> JavaScript and uncheck Enable Acrobat
>> JavaScript- then click OK
>> they say the reader will still crash if it is hit by the exploit but it
>> will not spread the exploit
>> robin
>>
>> "robinb" <(E-Mail Removed)> wrote in message
>> news:(E-Mail Removed)...
>>> http://www.adobe.com/support/securit...apsa09-01.html
>>>
>>> Buffer overflow issue in versions 9.0 and earlier of Adobe Reader and
>>> Acrobat
>>>
>>> Release date: February 19, 2009
>>>
>>> Vulnerability identifier: APSA09-01
>>>
>>> CVE number: CVE-2009-0658
>>>
>>> Platform: All platforms
>>> Summary
>>>
>>> A critical vulnerability has been identified in Adobe Reader 9 and
>>> Acrobat 9 and earlier versions. This vulnerability would cause the
>>> application to crash and could potentially allow an attacker to take
>>> control of the affected system. There are reports that this issue is
>>> being exploited.
>>>
>>> Adobe is planning to release updates to Adobe Reader and Acrobat to
>>> resolve the relevant security issue. Adobe expects to make available an
>>> update for Adobe Reader 9 and Acrobat 9 by March 11th, 2009. Updates for
>>> Adobe Reader 8 and Acrobat 8 will follow soon after, with Adobe Reader 7
>>> and Acrobat 7 updates to follow. In the meantime, Adobe is in contact
>>> with anti-virus vendors, including McAfee and Symantec, on this issue in
>>> order to ensure the security of our mutual customers. A security
>>> bulletin will be published on http://www.adobe.com/support/security as
>>> soon as product updates are available.
>>>
>>> --
>>> Do You Feel Like a Hostage To Your Computer?
>>> Then You Need
>>> R&D Internet Associates
>>> 24 Coriander Drive
>>> Princeton NJ 08540
>>> 732-355-0156
>>> http://rdinternetassociates.com
>>
>
>
> --
>
>


--

problem is my husband can only use adobe 8 for some of his tax pdfs. For
some reason adobe 9 will not allow you to fill in some of the forms online.
Only adobe 8 will allow this- got me why they made this change. I did the
fix but we will wait for the patch and pray :P
robin

"Bill Sanderson" <(E-Mail Removed)> wrote in message
news:#(E-Mail Removed)...
> Breaking news:
>
> It now appears that javascript is unnecessary to exploit the
> vulnerability, according to Secunia.
>
> Best to watch for the patch from Adobe. And, get the older versions
> updated to 9.x. They are all vulnerable, but 9.x will be patched first.
>
> "Bill Sanderson" <(E-Mail Removed)> wrote in message
> news:(E-Mail Removed)...
>>
>> I recommend this action if you are worried about this issue. It is
>> easily reversible and effective--and the chance are you've never seen a
>> PDF that needed javascript.
>>
>> So far, this is a limited scale targeted attack--so I'm sitting tight as
>> far as machines that I administer.
>>
>> "robinb" <(E-Mail Removed)> wrote in message
>> news:(E-Mail Removed)...
>>> I did the fix until the patch comes out. Adobe asks you to do it
>>> the fix is
>>> Open Adobe Reader
>>>
>>> Click: Edit -> Preferences -> JavaScript and uncheck Enable Acrobat
>>> JavaScript- then click OK
>>> they say the reader will still crash if it is hit by the exploit but it
>>> will not spread the exploit
>>> robin
>>>
>>> "robinb" <(E-Mail Removed)> wrote in message
>>> news:(E-Mail Removed)...
>>>> http://www.adobe.com/support/securit...apsa09-01.html
>>>>
>>>> Buffer overflow issue in versions 9.0 and earlier of Adobe Reader and
>>>> Acrobat
>>>>
>>>> Release date: February 19, 2009
>>>>
>>>> Vulnerability identifier: APSA09-01
>>>>
>>>> CVE number: CVE-2009-0658
>>>>
>>>> Platform: All platforms
>>>> Summary
>>>>
>>>> A critical vulnerability has been identified in Adobe Reader 9 and
>>>> Acrobat 9 and earlier versions. This vulnerability would cause the
>>>> application to crash and could potentially allow an attacker to take
>>>> control of the affected system. There are reports that this issue is
>>>> being exploited.
>>>>
>>>> Adobe is planning to release updates to Adobe Reader and Acrobat to
>>>> resolve the relevant security issue. Adobe expects to make available an
>>>> update for Adobe Reader 9 and Acrobat 9 by March 11th, 2009. Updates
>>>> for Adobe Reader 8 and Acrobat 8 will follow soon after, with Adobe
>>>> Reader 7 and Acrobat 7 updates to follow. In the meantime, Adobe is in
>>>> contact with anti-virus vendors, including McAfee and Symantec, on this
>>>> issue in order to ensure the security of our mutual customers. A
>>>> security bulletin will be published on
>>>> http://www.adobe.com/support/security as soon as product updates are
>>>> available.
>>>>
>>>> --
>>>> Do You Feel Like a Hostage To Your Computer?
>>>> Then You Need
>>>> R&D Internet Associates
>>>> 24 Coriander Drive
>>>> Princeton NJ 08540
>>>> 732-355-0156
>>>> http://rdinternetassociates.com
>>>
>>
>>
>> --
>>
>>
>
>
> --
>
>

Ouch. 9 usually, but not always, replaces 8--not sure they can really
coexist--when I've seen both in add or remove programs, I 've just removed 8
asap.

Here's hoping Adobe will do the right thing and patch 8 as well.

"robinb" <(E-Mail Removed)> wrote in message
news:u#(E-Mail Removed)...
> problem is my husband can only use adobe 8 for some of his tax pdfs. For
> some reason adobe 9 will not allow you to fill in some of the forms
> online. Only adobe 8 will allow this- got me why they made this change. I
> did the fix but we will wait for the patch and pray :P
> robin
>
> "Bill Sanderson" <(E-Mail Removed)> wrote in message
> news:#(E-Mail Removed)...
>> Breaking news:
>>
>> It now appears that javascript is unnecessary to exploit the
>> vulnerability, according to Secunia.
>>
>> Best to watch for the patch from Adobe. And, get the older versions
>> updated to 9.x. They are all vulnerable, but 9.x will be patched first.
>>
>> "Bill Sanderson" <(E-Mail Removed)> wrote in message
>> news:(E-Mail Removed)...
>>>
>>> I recommend this action if you are worried about this issue. It is
>>> easily reversible and effective--and the chance are you've never seen a
>>> PDF that needed javascript.
>>>
>>> So far, this is a limited scale targeted attack--so I'm sitting tight as
>>> far as machines that I administer.
>>>
>>> "robinb" <(E-Mail Removed)> wrote in message
>>> news:(E-Mail Removed)...
>>>> I did the fix until the patch comes out. Adobe asks you to do it
>>>> the fix is
>>>> Open Adobe Reader
>>>>
>>>> Click: Edit -> Preferences -> JavaScript and uncheck Enable Acrobat
>>>> JavaScript- then click OK
>>>> they say the reader will still crash if it is hit by the exploit but it
>>>> will not spread the exploit
>>>> robin
>>>>
>>>> "robinb" <(E-Mail Removed)> wrote in message
>>>> news:(E-Mail Removed)...
>>>>> http://www.adobe.com/support/securit...apsa09-01.html
>>>>>
>>>>> Buffer overflow issue in versions 9.0 and earlier of Adobe Reader and
>>>>> Acrobat
>>>>>
>>>>> Release date: February 19, 2009
>>>>>
>>>>> Vulnerability identifier: APSA09-01
>>>>>
>>>>> CVE number: CVE-2009-0658
>>>>>
>>>>> Platform: All platforms
>>>>> Summary
>>>>>
>>>>> A critical vulnerability has been identified in Adobe Reader 9 and
>>>>> Acrobat 9 and earlier versions. This vulnerability would cause the
>>>>> application to crash and could potentially allow an attacker to take
>>>>> control of the affected system. There are reports that this issue is
>>>>> being exploited.
>>>>>
>>>>> Adobe is planning to release updates to Adobe Reader and Acrobat to
>>>>> resolve the relevant security issue. Adobe expects to make available
>>>>> an update for Adobe Reader 9 and Acrobat 9 by March 11th, 2009.
>>>>> Updates for Adobe Reader 8 and Acrobat 8 will follow soon after, with
>>>>> Adobe Reader 7 and Acrobat 7 updates to follow. In the meantime, Adobe
>>>>> is in contact with anti-virus vendors, including McAfee and Symantec,
>>>>> on this issue in order to ensure the security of our mutual customers.
>>>>> A security bulletin will be published on
>>>>> http://www.adobe.com/support/security as soon as product updates are
>>>>> available.
>>>>>
>>>>> --
>>>>> Do You Feel Like a Hostage To Your Computer?
>>>>> Then You Need
>>>>> R&D Internet Associates
>>>>> 24 Coriander Drive
>>>>> Princeton NJ 08540
>>>>> 732-355-0156
>>>>> http://rdinternetassociates.com
>>>>
>>>
>>>
>>> --
>>>
>>>
>>
>>
>> --
>>
>>


--