December 9, 2016

Adobe Fixes Critical Vulnerabilities and Adds JavaScript Whitelisting to Adobe Reader and Acrobat

(LiveHacking.Com) – Adobe has released updates for Adobe Reader and Adobe Acrobat to address multiple critical vulnerabilities including the zero-day Universal 3D (U3D) processing bug found last month. If exploited,  these vulnerabilities would allow a hacker to create a denial-of-service condition or take control of the affected system.

Details of the Critical fixes are:

  • Resolves a memory corruption vulnerability that could lead to code execution (CVE-2011-4370).
  • Resolves a heap corruption vulnerability that could lead to code execution (CVE-2011-4371).
  • Resolves a memory corruption vulnerability that could lead to code execution (CVE-2011-4372).
  • Resolves a memory corruption vulnerability that could lead to code execution (CVE-2011-4373).
  • These updates include fixes for CVE-2011-2462 and CVE-2011-4369, previously addressed in Adobe Reader and Acrobat 9.x for Windows as referenced in Security Bulletin APSB11-30.

It is also worth noting that these updates also include the Adobe Flash Player update as noted in Security Bulletin APSB11-28.

JavaScript whitelisting
Adobe also added a new feature to Adobe Reader and Acrobat X (10.1.2) and 9.5 called Javascript whitelisting. In previous versions of Reader and Acrobat, administrators could disable the execution of JavaScript embedded in PDF files, to protect against PDF files containing malicious Javascript. However such an arbitrary control  breaks PDF-based solution workflows that rely on forms and JavaScript. In the new versions execution  of JavaScript in PDF files is now based on document trust. If a document is trusted, JavaScript execution will be allowed; but if it is untrusted, Adobe Reader and Acrobat will prevent all JavaScript execution. For more detail see Adobe’s blog post.

Affect versions

  • Adobe Reader X (10.1.1) and earlier 10.x versions for Windows and Macintosh
  • Adobe Reader 9.4.7 and earlier 9.x versions for Windows
  • Adobe Reader 9.4.6 and earlier 9.x versions for Macintosh
  • Adobe Acrobat X (10.1.1) and earlier 10.x versions for Windows and Macintosh
  • Adobe Acrobat 9.4.7 and earlier 9.x versions for Windows
  • Acrobat 9.4.6 and earlier 9.x versions for Macintosh

Adobe recommends users of Adobe Reader X (10.1.1) and earlier versions for Windows and Macintosh update to Adobe Reader X (10.1.2). For users of Adobe Reader 9.4.7 and earlier versions for Windows and Macintosh, who cannot update to Adobe Reader X (10.1.2), Adobe has made available the update Adobe Reader 9.5. The next quarterly security updates for Adobe Reader and Acrobat are currently scheduled for April 10, 2012.