Privacy and Legal Notice

DOE-CIRC TECHNICAL BULLETIN

T-248: Adobe Acrobat Reader Remote Code Execution Vulnerability

[CVE-2009-3459]

October 9, 2009 15:00 GMT
PROBLEM: Adobe Acrobat Reader is prone to a remote code-execution vulnerability.
PLATFORM: Adobe Reader 9.1.3 and earlier versions for Windows, Macintosh, and UNIX, Adobe Acrobat 9.1.3 and earlier versions for Windows and Macintosh
ABSTRACT: Successful exploits may allow the attacker to execute arbitrary code in the context of a user running the affected application. Failed attempts will likely result in denial-of-service conditions.
LINKS:  
  DOE-CIRC BULLETIN: http://www.doecirc.energy.gov/bulletins/t-248.shtml
  OTHER LINKS: Security Focus
http://www.securityfocus.com/bid/36600/info
Adobe
http://www.adobe.com/support/security/bulletins/apsb09-15.html

  CVE: CVE-2009-3459
IMPACT ASSESSMENT: This risk is high. An attacker can exploit this issue by supplying a malicious PDF file. 
[***** Start CVe-2009-3459 *****]
Discussion:
Adobe is planning to release an update for Adobe Reader 9.1.3 and Acrobat 9.1.3, Adobe Reader 8.1.6 and Acrobat 8.1.6 for Windows, Macintosh and UNIX, and Adobe Reader 7.1.3 and Acrobat 7.1.3 for Windows and Macintosh to resolve critical security issues. Adobe expects to make this update available on October 13, 2009. This update represents the second quarterly security update for Adobe Reader and Acrobat.

Among other issues, this update will resolve a critical vulnerability in Adobe Reader and Acrobat 9.1.3 and earlier (CVE-2009-3459) on Windows, Macintosh and UNIX. There are reports that this issue is being exploited in the wild in limited targeted attacks; the exploit targets Adobe Reader and Acrobat 9.1.3 on Windows. Adobe Reader and Acrobat 9.1.3 customers with DEP enabled on Windows Vista are protected from this exploit. Disabling JavaScript also mitigates against this specific exploit, although a variant that does not rely on JavaScript could be possible. In the meantime, Adobe is also in contact with Antivirus and Security vendors regarding the issue and recommends users keep their anti-virus definitions up to date.

Solution:
The vendor plans to releases updates for this issue on October 13, 2009.

[***** End CVe-2009-3459 *****]
DOE-CIRC wishes to acknowledge the contributions of Chia-Ching Fang and the Information and Communication Security Technology Center for the information contained in this bulletin.
DOE-CIRC services are available to DOE, DOE Contractors, and the NIH. DOE-CIRC can be contacted at: 
    Voice:          866-941-2472
    E-mail:          doecirc@doecirc.energy.gov
    World Wide Web:  http://www.doecirc.energy.gov
UCRL-MI-119788