CERT-In Vulnerability Note CIVN-2009-60
Adobe Reader JavaScript Vulnerabilities

Original Issue Date:April 30, 2009
Upated:May 13, 2009

Severity Rating: High

Systems Affected

• Adobe Reader 9.x
• Adobe Reader 8.x
• Adobe Reader 7.x
  

Overview

Two vulnerabilities have been reported in Adobe Reader which could allow remote code execution.

Description

These vulnerabilities are caused due to errors while processing calls to getAnnots() and customDictionaryOpen() JavaScript methods. These errors could be exploited via specially crafted PDF file which cause memory corruption. Successful exploitation of these vulnerabilities could allow remote code execution on the vulnerable system.

Workarounds

• Disable JavaScript in Adobe Reader.
• Do not open PDF documents received from untrusted sources or received unexpectedly from trusted sources.

Solution

Apply appropriate updates as mentioned in the Adobe Security Bulletin APSB09-06

Vendor Information

Adobe
http://blogs.adobe.com/psirt/2009/04/potential_adobe_reader
_issue.html
http://blogs.adobe.com/psirt/2009/04/update_on_adobe_reader
_issue.html

References

Adobe
http://blogs.adobe.com/psirt/2009/04/potential_adobe_reader
_issue.html
http://blogs.adobe.com/psirt/2009/04/update_on_adobe_reader
_issue.html

US-CERT
http://www.us-cert.gov/current/index.html#adobe_reader_javascript
_function_vulnerability

VUPEN Security
http://www.vupen.com/english/advisories/2009/1061

SecurityFocus
http://www.securityfocus.com/bid/34736
http://www.securityfocus.com/brief/953

Secunia
http://secunia.com/advisories/34924/

SecurityTracker
http://www.securitytracker.com/alerts/2009/Apr/1022139.html

CVE Name
CVE-2009-1492
CVE-2009-1493

Disclaimer

The information provided herein is on "as is" basis, without warranty of any kind.

Contact Information

Phone: +91-11-24368572

Postal address

Indian Computer Emergency Response Team (CERT-In)
Ministry of Communications and Information Technology
Electronics Niketan
6, C.G.O. Complex
New Delhi-110 003