ŹRÓDŁO: US CERT & ADOBE SECURITY TEAM.
Release date: June 9, 2009
Vulnerability identifier: APSB09-07
CVE number: CVE-2009-0198, CVE-2009-0509, CVE-2009-0510, CVE-2009-0511, CVE-2009-0512, CVE-2009-0888, CVE-2009-0889, CVE-2009-1855, CVE-2009-1856, CVE-2009-1857, CVE-2009-1858, CVE-2009-1859, CVE-2009-1861
Platform: All Platforms
Summary
Critical vulnerabilities have been identified in Adobe Reader 9.1.1 and Acrobat 9.1.1 and earlier versions. These vulnerabilities would cause the application to crash and could potentially allow an attacker to take control of the affected system.
Adobe recommends users of Adobe Reader 9 and Acrobat 9 and earlier versions update to Adobe Reader 9.1.2 and Acrobat 9.1.2. Adobe recommends users of Acrobat 8 update to Acrobat 8.1.6, and users of Acrobat 7 update to Acrobat 7.1.3. For Adobe Reader users who can’t update to Adobe Reader 9.1.2, Adobe has provided the Adobe Reader 8.1.6 and Adobe Reader 7.1.3 updates. Updates apply to Windows and Macintosh. Security updates for Adobe Reader on the UNIX platform will be available on June 16, 2009; this Bulletin will be updated to reflect their availability on that date.
This update incorporates the initial output of code hardening efforts discussed in a May 20 Adobe ASSET (Adobe Secure Software Engineering Team) blog post, as well as externally reported issues, as detailed below.
Affected software versions
Adobe Reader 9.1.1 and earlier versions
Adobe Acrobat Standard, Pro, and Pro Extended 9.1.1 and earlier versions
Solution
Adobe Reader
Adobe Reader users on Windows can find the appropriate update here: http://www.adobe.com/support/downloads/product.jsp?product=10&platform=Windows.
Adobe Reader users on Macintosh can find the appropriate update here: http://www.adobe.com/support/downloads/product.jsp?product=10&platform=Macintosh.
Acrobat
Acrobat Standard, Pro and Pro Extended users on Windows can find the appropriate update here:
http://www.adobe.com/support/downloads/product.jsp?product=1&platform=Windows.
Acrobat 3D users on Windows can find the appropriate update here:
http://www.adobe.com/support/downloads/product.jsp?product=112&platform=Windows.
Acrobat Pro users on Macintosh can find the appropriate update here:
http://www.adobe.com/support/downloads/product.jsp?product=1&platform=Macintosh.
Severity rating
Adobe categorizes this as a critical update and recommends that users apply the update for their product installations.
Details
Critical vulnerabilities have been identified in Adobe Reader 9.1.1 and Acrobat 9.1.1 and earlier versions. These vulnerabilities would cause the application to crash and could potentially allow an attacker to take control of the affected system.
Adobe recommends users of Adobe Reader and Acrobat update their product installations to versions 9.1.2, 8.1.6, or 7.1.3 using the instructions above to protect themselves from potential vulnerabilities. The above updates apply to Windows and Macintosh. Security updates for Adobe Reader on the UNIX platform will be available on June 16, 2009; this Bulletin will be updated to reflect their availability on that date.
This update resolves a stack overflow vulnerability that could potentially lead to code execution (CVE-2009-1855).
This update resolves an integer overflow that leads to a Denial of Service (DoS); arbitrary code execution has not been demonstrated, but may be possible (CVE-2009-1856).
This update resolves a memory corruption vulnerability that leads to a Denial of Service (DoS); arbitrary code execution has not been demonstrated, but may be possible (CVE-2009-1857).
This update resolves a memory corruption vulnerability in the JBIG2 filter that could potentially lead to code execution (CVE-2009-1858).
This update resolves a memory corruption vulnerability that could potentially lead to code execution (CVE-2009-1859).
This update resolves a memory corruption vulnerability in the JBIG2 filter that leads to a Denial of Service (DoS); arbitrary code execution has not been demonstrated, but may be possible (CVE-2009-0198).
This update resolves multiple heap overflow vulnerabilities in the JBIG2 filter that could potentially lead to code execution (CVE-2009-0509, CVE-2009-0510, CVE-2009-0511, CVE-2009-0512, CVE-2009-0888, CVE-2009-0889).
This update resolves multiple heap overflow vulnerabilities that could potentially lead to code execution (CVE-2009-1861).
Additionally, this update resolves Adobe internally discovered issues.