Thursday, October 7, 2010

Adobe Security Advisory

The definition of a "Critical" rating on the Adobe Severity Rating System is: "A vulnerability, which, if exploited would allow malicious native-code to execute, potentially without a user being aware."

Security bulletin

Security Advisory for Adobe Reader and Acrobat

Release date: September 8, 2010

Last updated: October 5, 2010

Vulnerability identifier: APSA10-02

CVE number: CVE-2010-2883

Platform: All

Summary

A critical vulnerability exists in Adobe Reader 9.3.4 and earlier versions for Windows, Macintosh and UNIX, and Adobe Acrobat 9.3.4 and earlier versions for Windows and Macintosh. This vulnerability (CVE-2010-2883) could cause a crash and potentially allow an attacker to take control of the affected system. There are reports that this vulnerability is being actively exploited in the wild.

A fix is now available for Adobe Reader 9.3.4 for Windows, Macintosh and UNIX, and Adobe Acrobat 9.3.4 for Windows and Macintosh as of Tuesday, October 5, 2010. Please refer to Security Bulletin APSB10-21.

Affected software versions

  • Adobe Reader 9.3.4 and earlier versions for Windows, Macintosh and UNIX
  • Adobe Acrobat 9.3.4 and earlier versions for Windows and Macintosh

Severity rating

Adobe categorizes this as a critical issue.

Acknowledgments

Adobe would like to thank Mila Parkour of http://contagiodump.blogspot.com for working on this issue with Adobe to help protect our customers.

Revisions

October 5, 2010 - Updated with information on Security Bulletin APSB10-21
September 13, 2010 - Updated information on the release schedule, and that the releases represent the next quarterly security update (originally scheduled for October 12, 2010).
September 10, 2010 - Added the Mitigations section with instructions for a mitigation option for Windows users.
September 8, 2010 - Advisory released.

No comments: