Security Warning: Emergency Patch for Adobe Reader/Acrobat Vulnerability
released an emergency patch to fix three vulnerabilities in Adobe
Reader and Acrobat: (1) An integer overflow vulnerability related
to how the software parses fonts, (2) a social engineering attack, and
(3) Adobe Reader and Acrobat include a vulnerable version of Adobe
A presentation of a proof-of-concept attack for the
integer overflow vulnerability was demonstrated at the Black Hat
security conference in Las Vegas on July 25th. We know of no
current malicious use of the vulnerabilities. However, publishing
proof-of-concept code often leads to criminals using the exploit for
something malicious a short time after the publication.
social engineering attach requires that users interact with the attack
and could allow unauthorized disclosure of information, unauthorized
modification, and/or disruption of service.
Warning: Proof-of-concept code for a vulnerability has been published.
(A "warning" alert is for a situation that are currently occurring or
conditions are right for the situation to occur soon.)
Severity: High. An exploit could potentially allow an attacker to take control of the affected system.
Because Adobe Reader is ubiquitous and because exploit code is publically available,
we will likely see attacks over the coming months that
will attempt to exploit this vulnerability.
- Adobe Reader version 8.2.3 and prior
- Adobe Reader versions 9.3.0 through 9.3.3
- Adobe Acrobat (Standard, Pro, and 3D) versions 8.2.3 and prior
- Adobe Acrobat (Standard, Pro, and 3D) versions 9.0.0 through 9.3.3
How Are Systems Compromised?
Opening a malicious PDF file can allow remotely taking complete control of your PC.
Do I Protect My Computer?
Adobe Reader to version 9.3.4. If for any reason you cannot
upgrade to Adobe Reader 9, update Adobe Reader to version 8.2.4.
you are relying on only Microsoft Update to keep your PC up-to-date,
Microsoft Update will not install patches for non-Microsoft products.
Reader has a built-in update mechanism. The default configuration
is to check for updates periodically. Even if you have automatic
updating enabled, you might want to manually cause Adobe Reader to
check for updates instead of waiting for the scheduled update
time. From the Help menu in Adobe Reader, select Check for
Updates. Or download and install the update from ftp://ftp.adobe.com/pub/adobe/reader/win/9.x/9.3.4/misc or ftp://ftp.adobe.com/pub/adobe/reader/win/8.x/8.2.4/misc.
update to Adobe Reader 9.3.4 is an incremental patch; you must have
version 9.3.3 installed to be able to install the patch to 9.3.4.
It might take more than one patch installation to be fully
up-to-date. Keep checking for updates until no more are offered.
Adobe plans to release version 9.3.4 as a full installer to the Adobe Reader Download Center at http://get.adobe.com/reader/
on on August 31. This installer will be able to install version
9.3.4 from scratch or update any prior version of Adobe Reader 9.
Update Acrobat to version 9.3.4. If you have Acrobat version 8, update to version 8.2.4.
Acrobat has the same update mechanism as Adobe Reader described above.
Make sure that Flash Player has been updated to version 10.1.82.76 or higher.
continues to recommend disabling Flash inside PDF files because of
vulnerabilities such as this. We already updated Flash Player for
our Managed Care customers, but there is still a vulnerable version of
Flash Player inside other Adobe products. We have disabled Flash
inside PDF at all our Managed Care customer sites.
Adobe Security Advisories:
Adobe Security Bulletin for Flash Player vulnerability: http://www.adobe.com/support/security/bulletins/apsb10-06.html
National Vulnerability Database CVE-2010-2862
National Vulnerability Database CVE-2010-1240
Adobe Product Security Incident Response Team:
Based on the criticality, IT Professional Services is performing an
emergency deployment of the patches to all systems under Managed Care.
If you need assistance installing protection from
this vulnerability or a security assessment, IT Professional Services
can help. Call our
out more about our managed care service.
To find out how vulnerable your network is
schedule a free network security analysis today.
We at IT Professional Services (ITPS)
hope that the information in this bulletin is valuable to you. ITPS
believes the information provided herein is reliable. While care has
been taken to ensure accuracy, your use of the information contained in
this bulletin is at your sole risk. All information in this bulletin is
provided "as-is", without any warranty, whether express or implied, of
its accuracy, completeness, fitness for a particular purpose, title or
non-infringement, and none of the third-party products or information
mentioned in the bulletin are authored, recommended, supported or
guaranteed by ITPS. ITPS shall not be liable for any damages you may
sustain by using this information, whether direct, indirect, special,
incidental or consequential, even if it has been advised of the
possibility of such damages.