Date: 04 November 2008
References: AA-2008.0127 ESB-2008.1040
Click here for printable version
Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
A U S C E R T A L E R T
AL-2008.0111 -- AUSCERT ALERT
[Win][Linux][Solaris][OSX]
Security Update available for Adobe Reader 8 and Acrobat 8
5 November 2008
===========================================================================
AusCERT Alert Summary
---------------------
Product: Adobe Reader 8
Adobe Acrobat 8
Publisher: Adobe
Operating System: Windows
Mac OS X
Linux variants
Solaris
Impact: Execute Arbitrary Code/Commands
Increased Privileges
Denial of Service
Reduced Security
Access: Remote/Unauthenticated
CVE Names: CVE-2008-2992 CVE-2008-2549 CVE-2008-4812
CVE-2008-4813 CVE-2008-4814 CVE-2008-4815
CVE-2008-4816 CVE-2008-4817
Ref: AA-2008.0127
Original Bulletin: http://www.adobe.com/support/security/bulletins/apsb08-19.html
- --------------------------BEGIN INCLUDED TEXT--------------------
Security Update available for Adobe Reader 8 and Acrobat 8
Release date: November 4, 2008
Vulnerability identifier: APSB08-19
CVE number: CVE-2008-2992, CVE-2008-2549, CVE-2008-4812, CVE-2008-4813,
CVE-2008-4817, CVE-2008-4816, CVE-2008-4814, CVE-2008-4815
Platform: All Platforms
Summary
Critical vulnerabilities have been identified in Adobe Reader and Acrobat
8.1.2 and earlier versions. These vulnerabilities would cause the
application to crash and could potentially allow an attacker to take control
of the affected system.
Adobe Reader 9 and Acrobat 9 are not vulnerable to these issues. Adobe
recommends users of Acrobat 8 and Adobe Reader 8 who cant update to Adobe
Reader 9 install the 8.1.3 update to protect themselves from potential
vulnerabilities.
Affected software versions
Adobe Reader 8.1.2 and earlier versions
Adobe Acrobat Professional, 3D and Standard 8.1.2 and earlier versions
Solution
Adobe Reader
Adobe recommends Adobe Reader users update to Adobe Reader 9, available here:
http://www.adobe.com/go/getreader
Acrobat 8
Adobe recommends Acrobat 8 users on Windows update to Acrobat 8.1.3,
available here:
http://www.adobe.com/support/downloads/product.jsp?product=1&platform=Windows
Adobe recommends Acrobat 8 users on Macintosh update to Acrobat 8.1.3,
available here:
http://www.adobe.com/support/downloads/product.jsp?product=1&platform=Macintosh
Adobe recommends Acrobat 3D Version 8 users on Windows update to Acrobat 3D
Version 8.1.3, available here:
http://www.adobe.com/support/downloads/product.jsp?product=112&platform=Windows
Severity rating
Adobe categorizes this as a critical issue and recommends that users apply
the update for their product installations.
Details
Critical vulnerabilities have been identified in Adobe Reader and Acrobat
8.1.2 and earlier versions. These vulnerabilities would cause the application
to crash and could potentially allow an attacker to take control of the
affected system.
Adobe recommends users of Acrobat and Adobe Reader update their product
installations using the instructions above to protect themselves from
potential vulnerabilities.
This update resolves multiple input validation errors that could potentially
lead to code execution. (CVE-2008-4812)
This update resolves multiple input validation issues that could potentially
lead to remote code execution. (CVE-2008-4813)
This update resolves an input validation issue in a JavaScript method that
could potentially lead to remote code execution. (CVE-2008-2992)
An input validation issue in the Download Manager used by Adobe Reader that
could potentially lead to remote code execution during the download process
has been resolved. (CVE-2008-4817)
A Windows-only issue in the Download Manager used by Adobe Reader that could
lead to a users Internet Security options being changed during the download
process has been resolved. (CVE-2008-4816)
This update resolves an input validation issue in a JavaScript method that
could potentially lead to remote code execution. (CVE-2008-4814)
This update resolves a potential Unix-only privilege escalation issue.
(CVE-2008-4815)
This update resolves a publicly-published denial of service issue.
(CVE-2008-2549)
Acknowledgments
Adobe would like to thank the following individuals and organizations for
reporting the relevant issues and for working with Adobe to help protect our
customers' security:
* Greg MacManus of iDefense Labs (CVE-2008-4812)
* Peter Vreugdenhil reported through TippingPoint's Zero Day Initiative,
Dyon Balding of Secunia Research, Will Dormann of CERT/CC, Damian
Frizza of Core Security Technologies, and Greg MacManus of iSIGHT
Partners Labs (CVE-2008-2992)
* Peter Vreugdenhil reported through iDefense (CVE-2008-4817)
* An anonymous contributor reported through iDefense (CVE-2008-4812)
* Javier Vicente Vallejo reported through TippingPoint's Zero Day
Initiative (CVE-2008-4813)
* Peter Vregdenhil reported through TippingPoint's Zero Day Initiative
(CVE-2008-4813)
* Thomas Garnier of SkyRecon Systems (CVE-2008-4814)
* Josh Bressers of Red Hat (CVE-2008-4815)
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
If you believe that your computer system has been compromised or attacked in
any way, we encourage you to let us know by completing the secure National IT
Incident Reporting Form at:
http://www.auscert.org.au/render.html?it=3192
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQCVAwUBSRDa1ih9+71yA2DNAQJhUgP/XtohEhQIUkg/x7Md5zTOOHrq9XfNQeRy
yRzEnGf4zqNyJYxhjfBIDPHQzdnKcEYtfZQ0j5ht+leI9wzM7J23Oj2Twgy3aLF+
tukKGI9rvXQpJMV/xrAyiNVJwF4yzINCZfwLo+Vl1RYhCHelyaLaLU9aGMsAD4yP
mZekn3cnFRY=
=lCBE
-----END PGP SIGNATURE-----
|