JPCERT-AT-2011-0025 JPCERT/CC 2011-09-14 <<< JPCERT/CC Alert 14.09.11 >>> Vulnerabilities in Adobe Reader and Acrobat https://www.jpcert.or.jp/at/2011/at110025.txt I. Overview Multiple vulnerabilities exist in Adobe Acrobat Reader, a PDF file viewing software, and Adobe Acrobat, a PDF file creation and conversion software. As a result, a remote attacker could terminate Adobe Reader and Acrobat or execute arbitrary code by convincing a user to open a specially crafted PDF file. Adobe Security Bulletins APSB11-24 Security updates available for Adobe Reader and Acrobat http://www.adobe.com/jp/support/security/bulletins/apsb11-24.html http://www.adobe.com/support/security/bulletins/apsb11-24.html This update also fixes the Adobe Flash Player vulnerabilities fixed by APSB11-21. For more information, refer to the following website: APSB11-21: Security update available for Adobe Flash Player http://kb2.adobe.com/jp/cps/914/cpsid_91448.html http://www.adobe.com/support/security/bulletins/apsb11-21.html * When reading in a trusted root certificate via automatic updating functions, etc., applying this updated software will automatically remove DigiNotar's root certificate (DigiNotar Qualified CA) from the list of trusted root certificates in Adobe Reader X (10.x) and Acrobat X (10.x). A trusted root certificate automatic updating function is planned for Adobe Reader 9.x and Acrobat 9.x, but until this function is added, list removal must be performed manually. For more information, refer to the Adobe Systems website. Information Regarding Adobe Reader & Acrobat and the Removal of DigiNotar from the Adobe Approved Trust List http://blogs.adobe.com/security/2011/09/diginotarremovalaatl.html DigiNotar removed from Adobe Approved Trust List (AATL) http://blogs.adobe.com/psirt/2011/09/diginotar-removed-from-adobe-approved-trust-list-aatl.html II. Products Affected Affected products and versions are as follows: - Adobe Reader X (10.1) and earlier - Adobe Reader 9.4.5 and earlier - Adobe Reader 8.3 and earlier - Adobe Acrobat X (10.1) and earlier - Adobe Acrobat 9.4.5 and earlier - Adobe Acrobat 8.3 and earlier * Support for Windows versions of Adobe Reader 8.x and Acrobat 8.x will end on November 3, 2011 (US time). For more information, refer to the Adobe Systems website. III. Solution Apply the corrected software provided by Adobe Systems. Adobe Reader and Acrobat will be updated by starting the products, selecting the menu Help (H), and then clicking Check for Updates (U). If updating is not possible, download the latest Adobe Reader and Acrobat from the following URL: Adobe.com - New downloads http://www.adobe.com/support/downloads/new.jsp For more information, refer to the Adobe Systems website. IV. References Adobe Security Bulletins APSB11-24 Security updates available for Adobe Reader and Acrobat http://www.adobe.com/support/security/bulletins/apsb11-24.html Adobe - APSB11-21: Security update available for Adobe Flash Player http://kb2.adobe.com/jp/cps/914/cpsid_91448.html http://www.adobe.com/support/security/bulletins/apsb11-21.html JPCERT/CC Alert 2011-08-10 Vulnerabilities in Adobe Flash Player https://www.jpcert.or.jp/at/2011/at110022.html https://www.jpcert.or.jp/english/at/2011/at110022.html If you have any further questions or information regarding this alert, please contact JPCERT/CC. ====================================================================== JPCERT Coordination Center (JPCERT/CC) MAIL: info@jpcert.or.jp TEL: +81-3-3518-4600 FAX: +81-3-3518-4602 https://www.jpcert.or.jp/english/