.

Adobe Confirms Reader Flaw, Advises on Workarounds

<<

don

User avatar

Administrator
Administrator

Posts: 4226

Joined: Sun Aug 28, 2005 10:47 pm

Location: Chicago

Post Thu Dec 17, 2009 10:07 am

Adobe Confirms Reader Flaw, Advises on Workarounds

And they just keep coming...


Adobe has confirmed a zero-day vulnerability in its Reader and Acrobat software and plans to release a patch on Jan. 12 for the dangerous bug.

According to an an advisory issued late Tuesday, the vulnerability impacts version 9.2 and earlier for Windows, Mac and UNIX platforms. A successful exploit can allow an attacker to crash or take control of a targeted system.

As users await an updated version of the popular PDF management products, the company recommended IT administrators utilize the JavaScript Blacklist Framework, which offers granular control over the execution of specific JavaScript API calls. Individual users, meanwhile, simply can opt to disable JavaScript in Reader and Acrobat by unchecking the "Enable Acrobat JavaScript"option.

In addition, customers can leverage Data Execution Prevention (DEP), a Vista and Windows 7 security feature that prevents an application from executing code in certain memory regions. The functionality also is available on Windows XP Service Pack 3.

Exploits currently are being delivered as a malicious PDF attached to emails, security experts said. So far, the attacks have been fairly targeted, but that is expected to change, especially now that the exploit has been added to the Metasploit framework.

David Lenoe, a security program manager at Adobe, said Tuesday in a blog post that users may be helped by their anti-virus vendors.

"Adobe actively shares information about this and other vulnerabilities with partners in the security community to enable them to quickly develop detection and quarantine methods to protect users until a patch is available," he said.

Exploits for the vulnerability began surfacing late last week, but as of Tuesday, a majority of security solutions were failing to detect the malicious PDFs being used in the ambushes, according to the Shadowserver Foundation, an internet security watchdog.



See original story:
http://www.scmagazineus.com/adobe-confi ... le/159738/

Don
CISSP, MCSE, CSTA, Security+ SME
<<

Ketchup

User avatar

Hero Member
Hero Member

Posts: 1021

Joined: Fri Jul 04, 2008 7:44 pm

Location: Philadelphia, PA

Post Thu Dec 17, 2009 5:44 pm

Re: Adobe Confirms Reader Flaw, Advises on Workarounds

Oh this sounds juicy! 
~~~~~~~~~~~~~~
Ketchup

Return to Malware

Who is online

Users browsing this forum: No registered users and 1 guest

.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software