MA-294.122011 : MyCERT Alert - A Critical Vulnerability in Adobe Reader and Adobe Acrobat

Date of publication: 2011-12-07

1.0 Introduction

A critical vulnerability has been identified in Adobe Reader X (10.1.1) and earlier versions for Windows and Macintosh, Adobe Reader 9.4.6 and earlier 9.x versions for UNIX, and Adobe Acrobat X (10.1.1) and earlier versions for Windows and Macintosh. This vulnerability (CVE-2011-2462) could cause a crash and potentially allow an attacker to take control of the affected system. [1] According to Adobe, there are reports that the vulnerability is being actively exploited in limited, targeted attacks in the wild against Adobe Reader 9.x on Windows.

Risk for Adobe Reader X users is significantly lower, as Adobe Reader X Protected Mode and Adobe Acrobat X Protected View would prevent an exploit of this kind from executing.

2.0 Impact

This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Adobe Acrobat and Adobe Reader. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. [2]

3.0 Affected Products

Below is the list of vulnerable products:

• Adobe Reader X (10.1.1) and earlier 10.x versions for Windows and Macintosh
• Adobe Reader 9.4.6 and earlier 9.x versions for Windows, Macintosh and UNIX
• Adobe Acrobat X (10.1.1) and earlier 10.x versions for Windows and Macintosh
• Adobe Acrobat 9.4.6 and earlier 9.x versions for Windows and Macintosh

4.0 Recommendation

As of the writing of this advisory, Adobe has not released any security patches for this vulnerability. However, users can use the following steps as a temporary workaround:

Upgrade to the latest Adobe Reader X or Adobe Acrobat X and enable the Adobe Reader X Protected Mode and Adobe Acrobat X Protected View

• To verify Protected View for Acrobat X is enabled, go to:
  Edit > Preferences > Security (Enhanced) and ensure "Files from potentially unsafe locations" or "All files" with "Enable Enhanced Security" are checked.
  
  
  
  
• To verify Protected Mode for Adobe Reader X is enabled, go to:
  Edit > Preferences > General and verify that "Enable Protected Mode at startup" is checked.

• Open Your Adobe Acrobat or Adobe Reader software
  
• Navigate to Edit -> Preferences -> JavaScript
  
• Select 'uncheck' the Enable Acrobat JavaScript.
• Close the Adobe Acrobat or Adobe Reader Software for change to take effect.
  
  
  
  

Utilize Enhanced Mitigation Experience Toolkit

• Windows users are advised to use Enhanced Mitigation Experience Toolkit (EMET) and change your profile into "Maximum Security Settings" under "Configure System" menu. Learn more on Protecting Your Windows Computer with Enhanced Mitigation Experience Toolkit (EMET) at the following URL:

  http://www.mycert.org.my/en/resources/os/main/main/detail/792/index.html

Users are also recommended to browse the Internet & using the vulnerable version of the products with least privilege user to limit the execution of the malicious file and do not open attachment or browse to unknown website received via email from unknown person or unexpected.

MyCERT advises users of the products mentioned in this advisory to keep themselves updated with the latest security announcements from the products' vendor. MyCERT can be reached through the following channels:

E-mail : mycert@mycert.org.my
Phone : 1-300-88-2999 (monitored during business hours)
Fax : +603 89453442
Handphone : +60 19 2665850 (24x7 call incident reporting)
SMS : CYBER999 REPORT to 15888
Business Hours : Mon - Fri 08:30 -17:30 MYT
Web: http://www.mycert.org.my

5.0 References

• https://www.adobe.com/support/security/advisories/apsa11-04.html
• http://blogs.adobe.com