                                                   JPCERT-AT-2011-0034
                                                             JPCERT/CC
                                            2011-12-19 (First edition)
                                                  2011-12-19 (Updated)

                  <<< JPCERT/CC Alert 19.12.11 >>>

             Vulnerabilities in Adobe Reader and Acrobat

            https://www.jpcert.or.jp/at/2011/at110034.txt


I. Overview

  Multiple vulnerabilities exist in Adobe Acrobat Reader, a PDF file 
viewing software, and Adobe Acrobat, a PDF file creation and 
conversion software. As a result, a remote attacker could terminate 
Adobe Reader and Acrobat or execute arbitrary code by convincing a 
user to open a specially crafted PDF file. Adobe Systems has already 
observed targeted attacks exploiting these vulnerabilities. 
  Users are recommended to update to the corrected software provided 
by Adobe Systems.
  For Adobe Reader/Acrobat X, which mitigates the problem through its 
protection function, a fix will be provided with the next regular 
security update (on January 10, 2012, local time).

    Adobe Security Bulletins APSB11-30
    Security updates available for Adobe Reader and Acrobat 9.x for Windows
    http://www.adobe.com/support/security/bulletins/apsb11-30.html

  The security updates also contain a fix to the vulnerability of 
Adobe Flash Player that was fixed with APSB11-28. For more information, 
refer to the following website:

    Adobe Security bulletin APSB11-28
    Security update available for Adobe Flash Player 
    http://www.adobe.com/support/security/bulletins/apsb11-28.html


II. Products Affected

  Affected products and versions are as follows:

  - Adobe Reader X (10.1.1) and earlier
  - Adobe Reader 9.4.6 and earlier
  - Adobe Acrobat X (10.1.1) and earlier
  - Adobe Acrobat 9.4.6 and earlier

For more information, refer to Adobe Systems' website.


III. Solution

  For Adobe Reader/Acrobat 9.4.6 or earlier versions, apply the fixed 
software provided by Adobe Systems. Adobe Reader and Acrobat will be 
updated by starting the products, selecting the menu Help (H), and 
then clicking Check for Updates (U).

  If update is not possible, download the latest Adobe Reader and 
Acrobat from the following URL:

    Adobe.com - New downloads
    http://www.adobe.com/support/downloads/new.jsp

  Users using Adobe Reader/Acrobat X (10.1.1) or earlier should refer 
to the workaround described in APSA11-04 and confirm that the 
protection function is enabled.

    APSA11-04: Security Advisory for Adobe Reader and Acrobat
    http://kb2.adobe.com/jp/cps/926/cpsid_92600.html
    http://www.adobe.com/support/security/advisories/apsa11-04.html

  For more information, refer to Adobe Systems' website.

  Many of the targeted attacks that have occurred recently have 
exploited known vulnerabilities, and most damage could have been 
prevented by applying security updates. Since these vulnerabilities 
are also being exploited in some targeted attacks, security updates 
should be applied as soon as possible.


IV. Result of JPCERT/CC Verification

  JPCERT/CC has obtained the malware exploiting these vulnerabilities,
verified its behavior in the following environment, and confirmed that
the malware does not function with the latest version of Adobe Reader 
and Acrobat.

  [Verification environment]
    Windows XP SP3
    Adobe Reader 9.4.7
    Adobe Acrobat 9.4.7

  [Malware used in verification]
    Hash value of malware: 721fda5df552f4130218ad9bd2a4ab78 (MD5)

  [Verification result]
    The malware has been confirmed not to function in the above 
    environment.

  [Anti-virus software detection results]
    Scanning results of anti-virus software as of 9:00 AM, December 19, 2011.
    * The detection results are not results from opening files.

    Malware detection results:
      - Kaspersky   : Exploit.JS.CVE-2011-2462.a,Exploit.Win32.Pidief.def
      - Symantec    : Bloodhound.Exploit.439
      - Trend Micro : TROJ_PIDIEF.EGG
      - Microsoft   : Undetected
      - McAfee      : Exploit-CVE2011-2462


V. References

    Adobe Security bulletin APSB11-30
    Security updates available for Adobe Reader and Acrobat 9.x for Windows 
    http://kb2.adobe.com/jp/cps/927/cpsid_92703.html
    http://www.adobe.com/support/security/bulletins/apsb11-30.html

    Adobe Security bulletin APSB11-28
    Security update available for Adobe Flash Player 
    http://www.adobe.com/support/security/bulletins/apsb11-28.html

    JPCERT/CC Alert 2011-11-11
    Vulnerabilities in Adobe Flash Player
    https://www.jpcert.or.jp/at/2011/at110030.html
    http://www.jpcert.or.jp/english/at/2011/at110030.html

    JPCERT-AT-2011-0028
    Targeted Email Attacks
    https://www.jpcert.or.jp/at/2011/at110028.html
    http://www.jpcert.or.jp/english/at/2011/at110028.html

    JVNTA11-350A
    Multiple Vulnerabilities in Adobe Products (Japanese) 
    https://jvn.jp/cert/JVNTA11-350A/index.html

  If you have any further questions or information regarding this 
alert, please contact JPCERT/CC.

________
Revision history
2011-12-19 First edition
2011-12-19 Link to Adobe Systems Changed to the Japanese version

======================================================================
JPCERT Coordination Center (JPCERT/CC)
MAIL: info@jpcert.or.jp
TEL: +81-3-3518-4600  FAX: +81-3-3518-4602
https://www.jpcert.or.jp/english/