Potential Adobe Reader Issue
April 27, 2009
Adobe is aware of reports of a potential vulnerability in Adobe Reader 9.1 and 8.1.4, as described in SecurityFocus BID 34736. We are currently investigating, and will have an update once we get more information.
http://blogs.adobe.com/psirt/

Relates to this:
Adobe Reader 'getAnnots()' Javascript Function Remote Code Execution Vulnerability
Bugtraq ID: 34736
Class: Boundary Condition Error
CVE:
Remote: Yes
Local: No
Published: Apr 27 2009 12:00AM
Updated: Apr 27 2009 07:46PM
Credit: Arr1val
Vulnerable: Adobe Acrobat Reader 8.1.4
Adobe Acrobat Reader 9.1
http://www.securityfocus.com/bid/34736/info

Update on Adobe Reader Issue
April 28, 2009

This is an update on the Adobe Reader vulnerability first discussed on the Adobe PSIRT blog on April 27 (“Potential Adobe Reader Issue”).

All currently supported shipping versions of Adobe Reader and Acrobat (Adobe Reader and Acrobat 9.1, 8.1.4, and 7.1.1 and earlier versions) are vulnerable to this issue.

Adobe plans to provide updates for all supported versions for all platforms (Windows, Macintosh and Unix) to resolve this issue. We are working on a development schedule for these updates and will post a timeline as soon as possible. We are currently not aware of any reports of exploits in the wild for this issue.

To mitigate the issue disable JavaScript in Adobe Reader and Acrobat using the following instructions below:
1. Launch Acrobat or Adobe Reader.
2. Select Edit>Preferences
3. Select the JavaScript Category
4. Uncheck the ‘Enable Acrobat JavaScript’ option
5. Click OK

In addition, Adobe is in contact with Antivirus and Security vendors on this issue in order to ensure the security of our mutual customers.

Adobe is also currently investigating the issue posted on SecurityFocus as BID 34740.

We will continue to provide updates on these issues via the Security Advisory section of the Adobe web site, as well as the Adobe PSIRT blog.

Adobe Product Security Incident Response Team (PSIRT)

Buffer overflow issues in Adobe Reader and Acrobat
Release date: May 1, 2009

Vulnerability identifier: APSA09-02
CVE number: CVE-2009-1492, CVE-2009-1493
Platform: All Platforms

Summary
A critical vulnerability has been identified in Adobe Reader 9.1 and Acrobat 9.1 and earlier versions. This vulnerability (CVE-2009-1492) would cause the application to crash and could potentially allow an attacker to take control of the affected system. A second vulnerability has also been reported that appears to affect Adobe Reader for Unix only (CVE-2009-1493).

Adobe is planning to release product updates to Adobe Reader and Acrobat to resolve the relevant security issues. Adobe expects to make available Windows updates for Adobe Reader versions 9.X, 8.X, and 7.X and Acrobat versions 9.X, 8.X, and 7.X, Macintosh updates for Adobe Reader versions 9.X and 8.X and Acrobat versions 9.X and 8.X, as well as Adobe Reader for Unix versions 9.X and 8.X, by May 12th, 2009. The Adobe Reader for Unix updates will resolve both security issues. A security bulletin will be published at http://www.adobe.com/support/security as soon as product updates are available.

In the meantime, to mitigate the issue disable JavaScript in Adobe Reader and Acrobat using the following instructions below:
1. Launch Acrobat or Adobe Reader.
2. Select Edit>Preferences
3. Select the JavaScript Category
4. Uncheck the ‘Enable Acrobat JavaScript’ option
5. Click OK

Adobe is currently not aware of any reports of exploits in the wild for these issues.

Users may monitor the latest information on the Adobe Product Security Incident Response Team blog at the following URL: http://blogs.adobe.com/psirt