yet another - US-CERT Technical Cyber Security Alert TA09-051A -- Adobe Acrobat and Reader Vulnerability

Here we go again, another Adobe Reader vulnerability.... NOTE that JAVA is
instrumental in this vulnerability... and note the reg entry modification if
you are still using Adobe Reader.

NOTE: the regedit example is for NT/XP/VISTA [version 5 - - 9X = REGEDIT4]

IF you need an alternative and are willing to give up all the nifty
functions{vulnerabilities} of Adobe or even Foxit, you can try SumatraPDF
[plain pdf viewing with primitive interface, and may not open all pdf
versions or formats].

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


National Cyber Alert System

Technical Cyber Security Alert TA09-051A


Adobe Acrobat and Reader Vulnerability

Original release date: February 20, 2009
Last revised: --
Source: US-CERT


Systems Affected

* Adobe Reader version 9 and earlier
* Adobe Acrobat (Professional, 3D, and Standard) version 9 and earlier


Overview

Adobe has released Security Bulletin APSB09-01, which describes a
vulnerability that affects Adobe Reader and Acrobat. This
vulnerability could allow a remote attacker to execute arbitrary
code.


I. Description

Adobe Security Bulletin APSB09-01 describes a memory-corruption
vulnerability that affects Adobe Reader and Acrobat. Further
details are available in Vulnerability Note VU#905281. An attacker
could exploit these vulnerabilities by convincing a user to load a
specially crafted Adobe Portable Document Format (PDF) file.
Acrobat integrates with popular web browsers, and visiting a
website is usually sufficient to cause Acrobat to load PDF content.


II. Impact

An attacker may be able to execute arbitrary code.


III. Solution

Disable JavaScript in Adobe Reader and Acrobat

Disabling Javascript may prevent some exploits from resulting in
code execution. Acrobat JavaScript can be disabled using the
Preferences menu (Edit - Preferences - JavaScript and un-check
Enable Acrobat JavaScript).


Prevent Internet Explorer from automatically opening PDF documents

The installer for Adobe Reader and Acrobat configures Internet
Explorer to automatically open PDF files without any user
interaction. This behavior can be reverted to the safer option of
prompting the user by importing the following as a .REG file:

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\AcroExch.Document.7]
"EditFlags"=hex:00,00,00,00


Disable the display of PDF documents in the web browser

Preventing PDF documents from opening inside a web browser will
partially mitigate this vulnerability. If this workaround is
applied it may also mitigate future vulnerabilities. To prevent PDF
documents from automatically being opened in a web browser, do the
following:
1. Open Adobe Acrobat Reader.
2. Open the Edit menu.
3. Choose the preferences option.
4. Choose the Internet section.
5. Un-check the "Display PDF in browser" check box.


Do not access PDF documents from untrusted sources

Do not open unfamiliar or unexpected PDF documents, particularly
those hosted on web sites or delivered as email attachments. Please
see Cyber Security Tip ST04-010.


IV. References

* Adobe Security Bulletin apsa09-01 -
http://www.adobe.com/support/security/advisories/apsa09-01.html

* Securing Your Web Browser -
http://www.us-cert.gov/reading_room/securing_browser/

* Vulnerability Note VU#905281 -
http://www.kb.cert.org/vuls/id/905281

__________________________________________________ __________________

The most recent version of this document can be found at:

http://www.us-cert.gov/cas/techalerts/TA09-051A.html
__________________________________________________ __________________

Feedback can be directed to US-CERT Technical Staff. Please send
email to with "TA09-051A Feedback VU#905281" in
the subject.
__________________________________________________ __________________

For instructions on subscribing to or unsubscribing from this
mailing list, visit http://www.us-cert.gov/cas/signup.html.
__________________________________________________ __________________

Produced 2009 by US-CERT, a government organization.

Terms of use:

http://www.us-cert.gov/legal.html
__________________________________________________ __________________

Revision History

February 20, 2009: Initial release


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)

iQEVAwUBSZ8ayXIHljM+H4irAQIUcAf+M01pEVt0f1ZdRvCQwS Yw1efnHu4YGdhI
xT27jeKvaW/h6ghGx0L9YWCSn/A2LY3D+fDU1PZmWi7TT/SMEQ8LvKomyCu026Dv
fD63qIXYj3NoPu11bINKFX4HFQCOYWKuM/58Y8mDQXOg0RLhePfMhMbB/S5/xpNT
J09FupEgMvbD+tjVILP+W8JSY4YtAxUJLHfB7cTTHGtlKZyAsn nmJM3Oi4au10DW
vqZD8JefoMLeV2MTGRyP4HGTaRxVY1+yucXO1KBGnKX7otCRkC WOupEuKw+tIEkT
YsYIlkH5MzftkesSEDpDMIAiIE+uprJRv2HGkc38Rhbs/03JyxxVlA==
=HSro
-----END PGP SIGNATURE-----

MEB wrote:

Here we go again, another Adobe Reader vulnerability....

And as usual, I'm very suspicious about win-98 vulnerability, especially
when the most specific information being published so far is this:

"A critical vulnerability has been identified in Adobe Reader 9 and
Acrobat 9 and earlier versions."

Unless Adobe (or someone else) confirms that Acrobat 6 is vulnerable,
then I'm going to assume it's not. I don't think that Acrobat 7, 8 or 9
runs on 98. Adobe has announced updates will be made available for 7, 8
and 9, but is silent about 6.

I've been looking for example code, (milworm, etc) but haven't seen any.

NOTE that JAVA is instrumental in this vulnerability...

I've been runing NoScript for about 6 months on one win-98 PC, and in
general have found it a real pain. I end up "enabling all" on any web
page that gives me the slightest hint of operability problems. In
particular, NoScript ALWAYS prevents downloading / viewing of any PDF
file (not sure why).

MEB wrote:

Here we go again, another Adobe Reader vulnerability....

And as usual, I'm very suspicious about win-98 vulnerability, especially
when the most specific information being published so far is this:

"A critical vulnerability has been identified in Adobe Reader 9 and
Acrobat 9 and earlier versions."

Unless Adobe (or someone else) confirms that Acrobat 6 is vulnerable,
then I'm going to assume it's not. I don't think that Acrobat 7, 8 or 9
runs on 98. Adobe has announced updates will be made available for 7, 8
and 9, but is silent about 6.

I've been looking for example code, (milworm, etc) but haven't seen any.

NOTE that JAVA is instrumental in this vulnerability...

I've been runing NoScript for about 6 months on one win-98 PC, and in
general have found it a real pain. I end up "enabling all" on any web
page that gives me the slightest hint of operability problems. In
particular, NoScript ALWAYS prevents downloading / viewing of any PDF
file (not sure why).

"98 Guy" wrote in message ...
MEB wrote:

Here we go again, another Adobe Reader vulnerability....

And as usual, I'm very suspicious about win-98 vulnerability, especially
when the most specific information being published so far is this:

"A critical vulnerability has been identified in Adobe Reader 9 and
Acrobat 9 and earlier versions."

Unless Adobe (or someone else) confirms that Acrobat 6 is vulnerable,
then I'm going to assume it's not. I don't think that Acrobat 7, 8 or 9
runs on 98. Adobe has announced updates will be made available for 7, 8
and 9, but is silent about 6.

The silence holds, because, as everywhere, you aren't supposed to be using
it.
Readers beyond 6 attempted to correct the inherent vulnerabilities and
issues found in Reader 6, and added their own...

Doesn't make much sense to just ignore the ^6 vulnerabilities,,, just
because no one specifically includes an outdated and unsupported Reader
[support stopped several years ago...] in their warnings by specific
mention. The JAVA included and supported activities are what make the 6 [and
above] version vulnerable [among the other potentials].
It would be like using Sun's earlier JAVA versions filled with well known
vulnerabilities, and expecting to be protected. You are more protected using
Microsoft's limited default version, because it doesn't support all the new
aspects of the newer JAVA coding, hence the newer vulnerabilities and
attacks *can't* work. Of course, that also limits what DOES work [sitewise]
as well.
You certainly can't expect going to a heavy JAVA scripted site and expect
to view the movies, run the games, or the other, that require a newer JAVA
version just to function.


I've been looking for example code, (milworm, etc) but haven't seen any.

NOTE that JAVA is instrumental in this vulnerability...

I've been runing NoScript for about 6 months on one win-98 PC, and in
general have found it a real pain. I end up "enabling all" on any web
page that gives me the slightest hint of operability problems. In
particular, NoScript ALWAYS prevents downloading / viewing of any PDF
file (not sure why).

The PDF format [Reader 6 and up] is KNOWN for the ability to hold
scripting, JAVA, VBS, and other attack possibilities.

No Script is designed to limit activities to a *specific SITE* in the
**BROWSER** [Firefox and Opera - yes supposedly installable], off site
activities must be *individually allowed*. It also attempts to block other
potential issues, so if you need something else, try setting up the
Options... or uninstall it...

Most sensible people advise DOWNLOADING the PDF and viewing WHILE OFF LINE
to potentially block some of the hacks now used within PDFs.

--
~
--
MEB
http://peoplescounsel.org/ref/windows-main.htm
Windows Diagnostics, Security, Networking
http://peoplescounsel.org
The *REAL WORLD* of Law, Justice, and Government
_______

"98 Guy" wrote in message ...
MEB wrote:

Here we go again, another Adobe Reader vulnerability....

And as usual, I'm very suspicious about win-98 vulnerability, especially
when the most specific information being published so far is this:

"A critical vulnerability has been identified in Adobe Reader 9 and
Acrobat 9 and earlier versions."

Unless Adobe (or someone else) confirms that Acrobat 6 is vulnerable,
then I'm going to assume it's not. I don't think that Acrobat 7, 8 or 9
runs on 98. Adobe has announced updates will be made available for 7, 8
and 9, but is silent about 6.

The silence holds, because, as everywhere, you aren't supposed to be using
it.
Readers beyond 6 attempted to correct the inherent vulnerabilities and
issues found in Reader 6, and added their own...

Doesn't make much sense to just ignore the ^6 vulnerabilities,,, just
because no one specifically includes an outdated and unsupported Reader
[support stopped several years ago...] in their warnings by specific
mention. The JAVA included and supported activities are what make the 6 [and
above] version vulnerable [among the other potentials].
It would be like using Sun's earlier JAVA versions filled with well known
vulnerabilities, and expecting to be protected. You are more protected using
Microsoft's limited default version, because it doesn't support all the new
aspects of the newer JAVA coding, hence the newer vulnerabilities and
attacks *can't* work. Of course, that also limits what DOES work [sitewise]
as well.
You certainly can't expect going to a heavy JAVA scripted site and expect
to view the movies, run the games, or the other, that require a newer JAVA
version just to function.


I've been looking for example code, (milworm, etc) but haven't seen any.

NOTE that JAVA is instrumental in this vulnerability...

I've been runing NoScript for about 6 months on one win-98 PC, and in
general have found it a real pain. I end up "enabling all" on any web
page that gives me the slightest hint of operability problems. In
particular, NoScript ALWAYS prevents downloading / viewing of any PDF
file (not sure why).

The PDF format [Reader 6 and up] is KNOWN for the ability to hold
scripting, JAVA, VBS, and other attack possibilities.

No Script is designed to limit activities to a *specific SITE* in the
**BROWSER** [Firefox and Opera - yes supposedly installable], off site
activities must be *individually allowed*. It also attempts to block other
potential issues, so if you need something else, try setting up the
Options... or uninstall it...

Most sensible people advise DOWNLOADING the PDF and viewing WHILE OFF LINE
to potentially block some of the hacks now used within PDFs.

--
~
--
MEB
http://peoplescounsel.org/ref/windows-main.htm
Windows Diagnostics, Security, Networking
http://peoplescounsel.org
The *REAL WORLD* of Law, Justice, and Government
_______

You're saying that Foxit is no more secure than Adobe?
--
DaffyD®

If I Knew Where I Was I'd Be There Now.

"MEB" MEB@not@here wrote in message
...
Here we go again, another Adobe Reader vulnerability.... NOTE that JAVA is
instrumental in this vulnerability... and note the reg entry modification
if
you are still using Adobe Reader.

NOTE: the regedit example is for NT/XP/VISTA [version 5 - - 9X = REGEDIT4]

IF you need an alternative and are willing to give up all the nifty
functions{vulnerabilities} of Adobe or even Foxit, you can try SumatraPDF
[plain pdf viewing with primitive interface, and may not open all pdf
versions or formats].

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


National Cyber Alert System

Technical Cyber Security Alert TA09-051A


Adobe Acrobat and Reader Vulnerability

Original release date: February 20, 2009
Last revised: --
Source: US-CERT


Systems Affected

* Adobe Reader version 9 and earlier
* Adobe Acrobat (Professional, 3D, and Standard) version 9 and
earlier


Overview

Adobe has released Security Bulletin APSB09-01, which describes a
vulnerability that affects Adobe Reader and Acrobat. This
vulnerability could allow a remote attacker to execute arbitrary
code.


I. Description

Adobe Security Bulletin APSB09-01 describes a memory-corruption
vulnerability that affects Adobe Reader and Acrobat. Further
details are available in Vulnerability Note VU#905281. An attacker
could exploit these vulnerabilities by convincing a user to load a
specially crafted Adobe Portable Document Format (PDF) file.
Acrobat integrates with popular web browsers, and visiting a
website is usually sufficient to cause Acrobat to load PDF content.


II. Impact

An attacker may be able to execute arbitrary code.


III. Solution

Disable JavaScript in Adobe Reader and Acrobat

Disabling Javascript may prevent some exploits from resulting in
code execution. Acrobat JavaScript can be disabled using the
Preferences menu (Edit - Preferences - JavaScript and un-check
Enable Acrobat JavaScript).


Prevent Internet Explorer from automatically opening PDF documents

The installer for Adobe Reader and Acrobat configures Internet
Explorer to automatically open PDF files without any user
interaction. This behavior can be reverted to the safer option of
prompting the user by importing the following as a .REG file:

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\AcroExch.Document.7]
"EditFlags"=hex:00,00,00,00


Disable the display of PDF documents in the web browser

Preventing PDF documents from opening inside a web browser will
partially mitigate this vulnerability. If this workaround is
applied it may also mitigate future vulnerabilities. To prevent PDF
documents from automatically being opened in a web browser, do the
following:
1. Open Adobe Acrobat Reader.
2. Open the Edit menu.
3. Choose the preferences option.
4. Choose the Internet section.
5. Un-check the "Display PDF in browser" check box.


Do not access PDF documents from untrusted sources

Do not open unfamiliar or unexpected PDF documents, particularly
those hosted on web sites or delivered as email attachments. Please
see Cyber Security Tip ST04-010.


IV. References

* Adobe Security Bulletin apsa09-01 -
http://www.adobe.com/support/security/advisories/apsa09-01.html

* Securing Your Web Browser -
http://www.us-cert.gov/reading_room/securing_browser/

* Vulnerability Note VU#905281 -
http://www.kb.cert.org/vuls/id/905281

__________________________________________________ __________________

The most recent version of this document can be found at:

http://www.us-cert.gov/cas/techalerts/TA09-051A.html
__________________________________________________ __________________

Feedback can be directed to US-CERT Technical Staff. Please send
email to with "TA09-051A Feedback VU#905281" in
the subject.
__________________________________________________ __________________

For instructions on subscribing to or unsubscribing from this
mailing list, visit http://www.us-cert.gov/cas/signup.html.
__________________________________________________ __________________

Produced 2009 by US-CERT, a government organization.

Terms of use:

http://www.us-cert.gov/legal.html
__________________________________________________ __________________

Revision History

February 20, 2009: Initial release


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)

iQEVAwUBSZ8ayXIHljM+H4irAQIUcAf+M01pEVt0f1ZdRvCQwS Yw1efnHu4YGdhI
xT27jeKvaW/h6ghGx0L9YWCSn/A2LY3D+fDU1PZmWi7TT/SMEQ8LvKomyCu026Dv
fD63qIXYj3NoPu11bINKFX4HFQCOYWKuM/58Y8mDQXOg0RLhePfMhMbB/S5/xpNT
J09FupEgMvbD+tjVILP+W8JSY4YtAxUJLHfB7cTTHGtlKZyAsn nmJM3Oi4au10DW
vqZD8JefoMLeV2MTGRyP4HGTaRxVY1+yucXO1KBGnKX7otCRkC WOupEuKw+tIEkT
YsYIlkH5MzftkesSEDpDMIAiIE+uprJRv2HGkc38Rhbs/03JyxxVlA==
=HSro
-----END PGP SIGNATURE-----

You're saying that Foxit is no more secure than Adobe?
--
DaffyD®

If I Knew Where I Was I'd Be There Now.

"MEB" MEB@not@here wrote in message
...
Here we go again, another Adobe Reader vulnerability.... NOTE that JAVA is
instrumental in this vulnerability... and note the reg entry modification
if
you are still using Adobe Reader.

NOTE: the regedit example is for NT/XP/VISTA [version 5 - - 9X = REGEDIT4]

IF you need an alternative and are willing to give up all the nifty
functions{vulnerabilities} of Adobe or even Foxit, you can try SumatraPDF
[plain pdf viewing with primitive interface, and may not open all pdf
versions or formats].

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


National Cyber Alert System

Technical Cyber Security Alert TA09-051A


Adobe Acrobat and Reader Vulnerability

Original release date: February 20, 2009
Last revised: --
Source: US-CERT


Systems Affected

* Adobe Reader version 9 and earlier
* Adobe Acrobat (Professional, 3D, and Standard) version 9 and
earlier


Overview

Adobe has released Security Bulletin APSB09-01, which describes a
vulnerability that affects Adobe Reader and Acrobat. This
vulnerability could allow a remote attacker to execute arbitrary
code.


I. Description

Adobe Security Bulletin APSB09-01 describes a memory-corruption
vulnerability that affects Adobe Reader and Acrobat. Further
details are available in Vulnerability Note VU#905281. An attacker
could exploit these vulnerabilities by convincing a user to load a
specially crafted Adobe Portable Document Format (PDF) file.
Acrobat integrates with popular web browsers, and visiting a
website is usually sufficient to cause Acrobat to load PDF content.


II. Impact

An attacker may be able to execute arbitrary code.


III. Solution

Disable JavaScript in Adobe Reader and Acrobat

Disabling Javascript may prevent some exploits from resulting in
code execution. Acrobat JavaScript can be disabled using the
Preferences menu (Edit - Preferences - JavaScript and un-check
Enable Acrobat JavaScript).


Prevent Internet Explorer from automatically opening PDF documents

The installer for Adobe Reader and Acrobat configures Internet
Explorer to automatically open PDF files without any user
interaction. This behavior can be reverted to the safer option of
prompting the user by importing the following as a .REG file:

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\AcroExch.Document.7]
"EditFlags"=hex:00,00,00,00


Disable the display of PDF documents in the web browser

Preventing PDF documents from opening inside a web browser will
partially mitigate this vulnerability. If this workaround is
applied it may also mitigate future vulnerabilities. To prevent PDF
documents from automatically being opened in a web browser, do the
following:
1. Open Adobe Acrobat Reader.
2. Open the Edit menu.
3. Choose the preferences option.
4. Choose the Internet section.
5. Un-check the "Display PDF in browser" check box.


Do not access PDF documents from untrusted sources

Do not open unfamiliar or unexpected PDF documents, particularly
those hosted on web sites or delivered as email attachments. Please
see Cyber Security Tip ST04-010.


IV. References

* Adobe Security Bulletin apsa09-01 -
http://www.adobe.com/support/security/advisories/apsa09-01.html

* Securing Your Web Browser -
http://www.us-cert.gov/reading_room/securing_browser/

* Vulnerability Note VU#905281 -
http://www.kb.cert.org/vuls/id/905281

__________________________________________________ __________________

The most recent version of this document can be found at:

http://www.us-cert.gov/cas/techalerts/TA09-051A.html
__________________________________________________ __________________

Feedback can be directed to US-CERT Technical Staff. Please send
email to with "TA09-051A Feedback VU#905281" in
the subject.
__________________________________________________ __________________

For instructions on subscribing to or unsubscribing from this
mailing list, visit http://www.us-cert.gov/cas/signup.html.
__________________________________________________ __________________

Produced 2009 by US-CERT, a government organization.

Terms of use:

http://www.us-cert.gov/legal.html
__________________________________________________ __________________

Revision History

February 20, 2009: Initial release


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)

iQEVAwUBSZ8ayXIHljM+H4irAQIUcAf+M01pEVt0f1ZdRvCQwS Yw1efnHu4YGdhI
xT27jeKvaW/h6ghGx0L9YWCSn/A2LY3D+fDU1PZmWi7TT/SMEQ8LvKomyCu026Dv
fD63qIXYj3NoPu11bINKFX4HFQCOYWKuM/58Y8mDQXOg0RLhePfMhMbB/S5/xpNT
J09FupEgMvbD+tjVILP+W8JSY4YtAxUJLHfB7cTTHGtlKZyAsn nmJM3Oi4au10DW
vqZD8JefoMLeV2MTGRyP4HGTaRxVY1+yucXO1KBGnKX7otCRkC WOupEuKw+tIEkT
YsYIlkH5MzftkesSEDpDMIAiIE+uprJRv2HGkc38Rhbs/03JyxxVlA==
=HSro
-----END PGP SIGNATURE-----

MEB wrote:

Here we go again, another Adobe Reader vulnerability....

And as usual, I'm very suspicious about win-98 vulnerability
Adobe has announced updates will be made available for 7, 8
and 9, but is silent about 6.

The silence holds, because, as everywhere, you aren't supposed to
be using it. Readers beyond 6 attempted to correct the inherent
vulnerabilities and issues found in Reader 6, and added their own...

What vulnerabilities?

Secunia lists 11 vulnerabilities for Acrobat 6:

http://secunia.com/advisories/produc...ask=advisories

10 of them have been patched (the 11'th has no real security
implications).

The last one patched was Jan/2007.

If there have been other confirmed Acrobat 6 vulnerabilities announced
after Jan 2007, then please post the details here.

Doesn't make much sense to just ignore the ^6 vulnerabilities,,, just
because no one specifically includes an outdated and unsupported Reader
[support stopped several years ago...] in their warnings by specific
mention.

The strength of an outdated version is that vulnerabilities found in
newer versions may not apply to it.

When developers create new versions of anything, as we know, they
usually create a range of new vulnerabilites that the old versions will
simply not have.

Most likely, because this issue is fundamentally a JAVA-triggered
problem, I presume that a pending JRE update will eliminate the Acrobat
vulnerability, and any question as to whether or not Acrobat 6 is
affected will be moot.

And BTW, there are only 3 issues (including this recent issue) that
affects Acrobat 7, 8 and 9 that are not listed for Acrobat 6. All 3
issues seem to be JavaScript mediated. Again, I presume that updates to
the JRE have (or will) be performed to eliminate those vectors, in which
case they will find their way into JRE 5.x versions (which are still
being released, and which are still win-98 compatible).

MEB wrote:

Here we go again, another Adobe Reader vulnerability....

And as usual, I'm very suspicious about win-98 vulnerability
Adobe has announced updates will be made available for 7, 8
and 9, but is silent about 6.

The silence holds, because, as everywhere, you aren't supposed to
be using it. Readers beyond 6 attempted to correct the inherent
vulnerabilities and issues found in Reader 6, and added their own...

What vulnerabilities?

Secunia lists 11 vulnerabilities for Acrobat 6:

http://secunia.com/advisories/produc...ask=advisories

10 of them have been patched (the 11'th has no real security
implications).

The last one patched was Jan/2007.

If there have been other confirmed Acrobat 6 vulnerabilities announced
after Jan 2007, then please post the details here.

Doesn't make much sense to just ignore the ^6 vulnerabilities,,, just
because no one specifically includes an outdated and unsupported Reader
[support stopped several years ago...] in their warnings by specific
mention.

The strength of an outdated version is that vulnerabilities found in
newer versions may not apply to it.

When developers create new versions of anything, as we know, they
usually create a range of new vulnerabilites that the old versions will
simply not have.

Most likely, because this issue is fundamentally a JAVA-triggered
problem, I presume that a pending JRE update will eliminate the Acrobat
vulnerability, and any question as to whether or not Acrobat 6 is
affected will be moot.

And BTW, there are only 3 issues (including this recent issue) that
affects Acrobat 7, 8 and 9 that are not listed for Acrobat 6. All 3
issues seem to be JavaScript mediated. Again, I presume that updates to
the JRE have (or will) be performed to eliminate those vectors, in which
case they will find their way into JRE 5.x versions (which are still
being released, and which are still win-98 compatible).

Uhmm, JRE huh, Adobe Reader uses its own hacks and internal
authorizations...

So how many new vulnerabilities do you find listed for Windows 98 on
Secunia?
[Think before you answer]

--
~
--
MEB
http://peoplescounsel.org/ref/windows-main.htm
Windows Diagnostics, Security, Networking
http://peoplescounsel.org
The *REAL WORLD* of Law, Justice, and Government
_______



"98 Guy" wrote in message ...
MEB wrote:

Here we go again, another Adobe Reader vulnerability....

And as usual, I'm very suspicious about win-98 vulnerability
Adobe has announced updates will be made available for 7, 8
and 9, but is silent about 6.

The silence holds, because, as everywhere, you aren't supposed to
be using it. Readers beyond 6 attempted to correct the inherent
vulnerabilities and issues found in Reader 6, and added their own...

What vulnerabilities?

Secunia lists 11 vulnerabilities for Acrobat 6:

http://secunia.com/advisories/produc...ask=advisories

10 of them have been patched (the 11'th has no real security
implications).

The last one patched was Jan/2007.

If there have been other confirmed Acrobat 6 vulnerabilities announced
after Jan 2007, then please post the details here.

Doesn't make much sense to just ignore the ^6 vulnerabilities,,, just
because no one specifically includes an outdated and unsupported Reader
[support stopped several years ago...] in their warnings by specific
mention.

The strength of an outdated version is that vulnerabilities found in
newer versions may not apply to it.

When developers create new versions of anything, as we know, they
usually create a range of new vulnerabilites that the old versions will
simply not have.

Most likely, because this issue is fundamentally a JAVA-triggered
problem, I presume that a pending JRE update will eliminate the Acrobat
vulnerability, and any question as to whether or not Acrobat 6 is
affected will be moot.

And BTW, there are only 3 issues (including this recent issue) that
affects Acrobat 7, 8 and 9 that are not listed for Acrobat 6. All 3
issues seem to be JavaScript mediated. Again, I presume that updates to
the JRE have (or will) be performed to eliminate those vectors, in which
case they will find their way into JRE 5.x versions (which are still
being released, and which are still win-98 compatible).