Critical vulnerability in Adobe Acrobat and Adobe Reader - patches published
23 February 2009
Latest update: 19 March 2009
PDF files are often used for exchanging documents between corporations and individuals, and are also being used for publishing documents on the web, as most web browsers are able to read PDF documents (after installing plug-ins).
A critical vulnerability have been identified in Adobe Reader version 9 and Adobe Acrobat version 9, as well as earlier version. This vulnerability could allow an attacker to take control of the affected system. According to Adobe, there have been reports that the vulnerability is being exploited.
So far no patch for this vulnerability is available - Adobe has scheduled a patch for the latest versions of Acrobat and Reader 11 March with updates for previous versions to follow after this.
To protect yourself from being exploited some techniques utilizing this vulnerability, you may consider to disable javascripts in Adobe Acrobat and Reader, and disable automatic launching of PDF documents from your web browser.
More information is available in Adobe's security bulletin.
Update 2009.03.11:
A security update is available for Adobe Acrobat and Reader version 9 (only).
Norman strongly advises those who can, to install this update as soon as possible, as this security issue is serious.
More information with links to the update, in Adobe's security bulletin.
Update 2009.03.19:
A security update is available for Adobe Acrobat and Reader version 7 and 8.
Norman strongly advises those who can, to install this update as soon as possible, as this security issue is serious.
More information with links to the update, in Adobe's security bulletin.