Support Overview

Help Desk

Online Service Request

Emergency IT Support

Security Alerts

Computer Usage Tips

Security Alerts

Security Warning:  Emergency Patch for Adobe Reader/Acrobat Vulnerability
8/19/2010

Adobe released an emergency patch to fix three vulnerabilities in Adobe Reader and Acrobat:  (1) An integer overflow vulnerability related to how the software parses fonts, (2) a social engineering attack, and (3) Adobe Reader and Acrobat include a vulnerable version of Adobe Flash Player.

A presentation of a proof-of-concept attack for the integer overflow vulnerability was demonstrated at the Black Hat security conference in Las Vegas on July 25th.  We know of no current malicious use of the vulnerabilities.  However, publishing proof-of-concept code often leads to criminals using the exploit for something malicious a short time after the publication.

The social engineering attach requires that users interact with the attack and could allow unauthorized disclosure of information, unauthorized modification, and/or disruption of service.

Threat Level

Warning:  Proof-of-concept code for a vulnerability has been published.

(A "warning" alert is for a situation that are currently occurring or conditions are right for the situation to occur soon.)

Severity:  High. An exploit could potentially allow an attacker to take control of the affected system.

Because Adobe Reader is ubiquitous and because exploit code is publically available, we will likely see attacks over the coming months that will attempt to exploit this vulnerability.

Affected Software

  • Adobe Reader version 8.2.3 and prior
  • Adobe Reader versions 9.3.0 through 9.3.3
  • Adobe Acrobat (Standard, Pro, and 3D) versions 8.2.3 and prior
  • Adobe Acrobat (Standard, Pro, and 3D) versions 9.0.0 through 9.3.3

How Are Systems Compromised?

Opening a malicious PDF file can allow remotely taking complete control of your PC.

How Do I Protect My Computer?

Update Adobe Reader to version 9.3.4.  If for any reason you cannot upgrade to Adobe Reader 9, update Adobe Reader to version 8.2.4.

If you are relying on only Microsoft Update to keep your PC up-to-date, Microsoft Update will not install patches for non-Microsoft products.

Adobe Reader has a built-in update mechanism.  The default configuration is to check for updates periodically.  Even if you have automatic updating enabled, you might want to manually cause Adobe Reader to check for updates instead of waiting for the scheduled update time.  From the Help menu in Adobe Reader, select Check for Updates.  Or download and install the update from ftp://ftp.adobe.com/pub/adobe/reader/win/9.x/9.3.4/misc or ftp://ftp.adobe.com/pub/adobe/reader/win/8.x/8.2.4/misc.

The update to Adobe Reader 9.3.4 is an incremental patch; you must have version 9.3.3 installed to be able to install the patch to 9.3.4.  It might take more than one patch installation to be fully up-to-date.  Keep checking for updates until no more are offered.

Adobe plans to release version 9.3.4 as a full installer to the Adobe Reader Download Center at http://get.adobe.com/reader/ on on August 31.  This installer will be able to install version 9.3.4 from scratch or update any prior version of Adobe Reader 9.

Update Acrobat to version 9.3.4.  If you have Acrobat version 8, update to version 8.2.4.

Acrobat has the same update mechanism as Adobe Reader described above.

Make sure that Flash Player has been updated to version 10.1.82.76 or higher.

ITPS continues to recommend disabling Flash inside PDF files because of vulnerabilities such as this.  We already updated Flash Player for our Managed Care customers, but there is still a vulnerable version of Flash Player inside other Adobe products.  We have disabled Flash inside PDF at all our Managed Care customer sites.

More Information

Security Advisories
Adobe Security Advisories:
http://www.adobe.com/support/security/bulletins/apsb10-17.html
Adobe Security Bulletin for Flash Player vulnerability: http://www.adobe.com/support/security/bulletins/apsb10-06.html
National Vulnerability Database CVE-2010-2862
National Vulnerability Database CVE-2010-1240

Blogs
Adobe Product Security Incident Response Team:
http://blogs.adobe.com/psirt/2010/08/security-updates-released-for-adobe-reader-and-acrobat.html

Managed Services

Based on the criticality, IT Professional Services is performing an emergency deployment of the patches to all systems under Managed Care.

Professional Services

If you need assistance installing protection from this vulnerability or a security assessment, IT Professional Services can help. Call our help desk.

Find out more about our managed care service.

To find out how vulnerable your network is schedule a free network security analysis today.

We at IT Professional Services (ITPS) hope that the information in this bulletin is valuable to you. ITPS believes the information provided herein is reliable. While care has been taken to ensure accuracy, your use of the information contained in this bulletin is at your sole risk. All information in this bulletin is provided "as-is", without any warranty, whether express or implied, of its accuracy, completeness, fitness for a particular purpose, title or non-infringement, and none of the third-party products or information mentioned in the bulletin are authored, recommended, supported or guaranteed by ITPS. ITPS shall not be liable for any damages you may sustain by using this information, whether direct, indirect, special, incidental or consequential, even if it has been advised of the possibility of such damages.

Privacy Policy

© 2009-2013 IT Professional Services All rights are reserved.  (805) 650-6030